clawbot
08f57bc105
All checks were successful
check / check (push) Successful in 6s
## Summary Adds per-IP rate limiting to `POST /api/v1/login` to prevent brute-force password attacks. closes #35 ## What Changed ### New package: `internal/ratelimit/` A generic per-key token-bucket rate limiter built on `golang.org/x/time/rate`: - `New(ratePerSec, burst)` creates a limiter with automatic background cleanup of stale entries - `Allow(key)` checks if a request from the given key should be permitted - `Stop()` terminates the background sweep goroutine - Stale entries (unused for 15 minutes) are pruned every 10 minutes ### Login handler integration The login handler (`internal/handlers/auth.go`) now: 1. Extracts the client IP from `X-Forwarded-For`, `X-Real-IP`, or `RemoteAddr` 2. Checks the per-IP rate limiter before processing the login 3. Returns **429 Too Many Requests** with a `Retry-After: 1` header when the limit is exceeded ### Configuration Two new environment variables (via Viper): | Variable | Default | Description | |---|---|---| | `LOGIN_RATE_LIMIT` | `1` | Allowed login attempts per second per IP | | `LOGIN_RATE_BURST` | `5` | Maximum burst of login attempts per IP | ### Scope Per [sneak's instruction](#35), only the login endpoint is rate-limited. Session creation and registration use hashcash proof-of-work instead. ## Tests - 6 unit tests for the `ratelimit` package (constructor, burst, burst exceeded, key isolation, key tracking, stop) - 2 integration tests in `api_test.go`: - `TestLoginRateLimitExceeded`: exhausts burst with rapid requests, verifies 429 response and `Retry-After` header - `TestLoginRateLimitAllowsNormalUse`: verifies normal login still works ## README - Added "Login Rate Limiting" subsection under "Rate Limiting & Abuse Prevention" - Added `LOGIN_RATE_LIMIT` and `LOGIN_RATE_BURST` to the Configuration table Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de> Reviewed-on: #78 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>
329 lines
7.0 KiB
Go
329 lines
7.0 KiB
Go
// Package handlers provides HTTP request handlers for the neoirc server.
|
|
package handlers
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"log/slog"
|
|
"net/http"
|
|
"time"
|
|
|
|
"git.eeqj.de/sneak/neoirc/internal/broker"
|
|
"git.eeqj.de/sneak/neoirc/internal/config"
|
|
"git.eeqj.de/sneak/neoirc/internal/db"
|
|
"git.eeqj.de/sneak/neoirc/internal/globals"
|
|
"git.eeqj.de/sneak/neoirc/internal/hashcash"
|
|
"git.eeqj.de/sneak/neoirc/internal/healthcheck"
|
|
"git.eeqj.de/sneak/neoirc/internal/logger"
|
|
"git.eeqj.de/sneak/neoirc/internal/ratelimit"
|
|
"git.eeqj.de/sneak/neoirc/internal/stats"
|
|
"go.uber.org/fx"
|
|
)
|
|
|
|
var errUnauthorized = errors.New("unauthorized")
|
|
|
|
// Params defines the dependencies for creating Handlers.
|
|
type Params struct {
|
|
fx.In
|
|
|
|
Logger *logger.Logger
|
|
Globals *globals.Globals
|
|
Config *config.Config
|
|
Database *db.Database
|
|
Healthcheck *healthcheck.Healthcheck
|
|
Stats *stats.Tracker
|
|
}
|
|
|
|
const defaultIdleTimeout = 30 * 24 * time.Hour
|
|
|
|
// spentHashcashTTL is how long spent hashcash tokens are
|
|
// retained for replay prevention. Per issue requirements,
|
|
// this is 1 year.
|
|
const spentHashcashTTL = 365 * 24 * time.Hour
|
|
|
|
// Handlers manages HTTP request handling.
|
|
type Handlers struct {
|
|
params *Params
|
|
log *slog.Logger
|
|
hc *healthcheck.Healthcheck
|
|
broker *broker.Broker
|
|
hashcashVal *hashcash.Validator
|
|
channelHashcash *hashcash.ChannelValidator
|
|
loginLimiter *ratelimit.Limiter
|
|
stats *stats.Tracker
|
|
cancelCleanup context.CancelFunc
|
|
}
|
|
|
|
// New creates a new Handlers instance.
|
|
func New(
|
|
lifecycle fx.Lifecycle,
|
|
params Params,
|
|
) (*Handlers, error) {
|
|
resource := params.Config.ServerName
|
|
if resource == "" {
|
|
resource = "neoirc"
|
|
}
|
|
|
|
loginRate := params.Config.LoginRateLimit
|
|
if loginRate <= 0 {
|
|
loginRate = ratelimit.DefaultRate
|
|
}
|
|
|
|
loginBurst := params.Config.LoginRateBurst
|
|
if loginBurst <= 0 {
|
|
loginBurst = ratelimit.DefaultBurst
|
|
}
|
|
|
|
hdlr := &Handlers{ //nolint:exhaustruct // cancelCleanup set in startCleanup
|
|
params: ¶ms,
|
|
log: params.Logger.Get(),
|
|
hc: params.Healthcheck,
|
|
broker: broker.New(),
|
|
hashcashVal: hashcash.NewValidator(resource),
|
|
channelHashcash: hashcash.NewChannelValidator(),
|
|
loginLimiter: ratelimit.New(loginRate, loginBurst),
|
|
stats: params.Stats,
|
|
}
|
|
|
|
lifecycle.Append(fx.Hook{
|
|
OnStart: func(ctx context.Context) error {
|
|
hdlr.startCleanup(ctx)
|
|
|
|
return nil
|
|
},
|
|
OnStop: func(_ context.Context) error {
|
|
hdlr.stopCleanup()
|
|
|
|
return nil
|
|
},
|
|
})
|
|
|
|
return hdlr, nil
|
|
}
|
|
|
|
func (hdlr *Handlers) respondJSON(
|
|
writer http.ResponseWriter,
|
|
_ *http.Request,
|
|
data any,
|
|
status int,
|
|
) {
|
|
writer.Header().Set(
|
|
"Content-Type",
|
|
"application/json; charset=utf-8",
|
|
)
|
|
writer.WriteHeader(status)
|
|
|
|
if data != nil {
|
|
err := json.NewEncoder(writer).Encode(data)
|
|
if err != nil {
|
|
hdlr.log.Error(
|
|
"json encode error", "error", err,
|
|
)
|
|
}
|
|
}
|
|
}
|
|
|
|
func (hdlr *Handlers) respondError(
|
|
writer http.ResponseWriter,
|
|
request *http.Request,
|
|
msg string,
|
|
status int,
|
|
) {
|
|
hdlr.respondJSON(
|
|
writer, request,
|
|
map[string]string{"error": msg},
|
|
status,
|
|
)
|
|
}
|
|
|
|
func (hdlr *Handlers) idleTimeout() time.Duration {
|
|
raw := hdlr.params.Config.SessionIdleTimeout
|
|
if raw == "" {
|
|
return defaultIdleTimeout
|
|
}
|
|
|
|
dur, err := time.ParseDuration(raw)
|
|
if err != nil {
|
|
hdlr.log.Error(
|
|
"invalid SESSION_IDLE_TIMEOUT, using default",
|
|
"value", raw, "error", err,
|
|
)
|
|
|
|
return defaultIdleTimeout
|
|
}
|
|
|
|
return dur
|
|
}
|
|
|
|
// startCleanup launches the idle-user cleanup goroutine.
|
|
// We use context.Background rather than the OnStart ctx
|
|
// because the OnStart context is startup-scoped and would
|
|
// cancel the goroutine once all start hooks complete.
|
|
//
|
|
//nolint:contextcheck // intentional Background ctx
|
|
func (hdlr *Handlers) startCleanup(_ context.Context) {
|
|
cleanupCtx, cancel := context.WithCancel(
|
|
context.Background(),
|
|
)
|
|
hdlr.cancelCleanup = cancel
|
|
|
|
go hdlr.cleanupLoop(cleanupCtx)
|
|
}
|
|
|
|
func (hdlr *Handlers) stopCleanup() {
|
|
if hdlr.cancelCleanup != nil {
|
|
hdlr.cancelCleanup()
|
|
}
|
|
|
|
if hdlr.loginLimiter != nil {
|
|
hdlr.loginLimiter.Stop()
|
|
}
|
|
}
|
|
|
|
func (hdlr *Handlers) cleanupLoop(ctx context.Context) {
|
|
timeout := hdlr.idleTimeout()
|
|
|
|
interval := max(timeout/2, time.Minute) //nolint:mnd // half the timeout
|
|
|
|
ticker := time.NewTicker(interval)
|
|
defer ticker.Stop()
|
|
|
|
for {
|
|
select {
|
|
case <-ticker.C:
|
|
hdlr.runCleanup(ctx, timeout)
|
|
case <-ctx.Done():
|
|
return
|
|
}
|
|
}
|
|
}
|
|
|
|
func (hdlr *Handlers) runCleanup(
|
|
ctx context.Context,
|
|
timeout time.Duration,
|
|
) {
|
|
cutoff := time.Now().Add(-timeout)
|
|
|
|
// Find sessions that will be orphaned so we can send
|
|
// QUIT notifications before deleting anything.
|
|
stale, err := hdlr.params.Database.
|
|
GetStaleOrphanSessions(ctx, cutoff)
|
|
if err != nil {
|
|
hdlr.log.Error(
|
|
"stale session lookup failed", "error", err,
|
|
)
|
|
}
|
|
|
|
for _, ss := range stale {
|
|
hdlr.cleanupUser(ctx, ss.ID, ss.Nick)
|
|
}
|
|
|
|
deleted, err := hdlr.params.Database.DeleteStaleUsers(
|
|
ctx, cutoff,
|
|
)
|
|
if err != nil {
|
|
hdlr.log.Error(
|
|
"user cleanup failed", "error", err,
|
|
)
|
|
|
|
return
|
|
}
|
|
|
|
if deleted > 0 {
|
|
hdlr.log.Info(
|
|
"cleaned up stale users",
|
|
"deleted", deleted,
|
|
)
|
|
}
|
|
|
|
hdlr.pruneQueuesAndMessages(ctx)
|
|
}
|
|
|
|
// parseDurationConfig parses a Go duration string,
|
|
// returning zero on empty input and logging on error.
|
|
func (hdlr *Handlers) parseDurationConfig(
|
|
name, raw string,
|
|
) time.Duration {
|
|
if raw == "" {
|
|
return 0
|
|
}
|
|
|
|
dur, err := time.ParseDuration(raw)
|
|
if err != nil {
|
|
hdlr.log.Error(
|
|
"invalid duration config, skipping",
|
|
"name", name, "value", raw, "error", err,
|
|
)
|
|
|
|
return 0
|
|
}
|
|
|
|
return dur
|
|
}
|
|
|
|
// pruneQueuesAndMessages removes old client output queue
|
|
// entries per QUEUE_MAX_AGE and old messages per
|
|
// MESSAGE_MAX_AGE.
|
|
func (hdlr *Handlers) pruneQueuesAndMessages(
|
|
ctx context.Context,
|
|
) {
|
|
queueMaxAge := hdlr.parseDurationConfig(
|
|
"QUEUE_MAX_AGE",
|
|
hdlr.params.Config.QueueMaxAge,
|
|
)
|
|
if queueMaxAge > 0 {
|
|
queueCutoff := time.Now().Add(-queueMaxAge)
|
|
|
|
pruned, err := hdlr.params.Database.
|
|
PruneOldQueueEntries(ctx, queueCutoff)
|
|
if err != nil {
|
|
hdlr.log.Error(
|
|
"client output queue pruning failed", "error", err,
|
|
)
|
|
} else if pruned > 0 {
|
|
hdlr.log.Info(
|
|
"pruned old client output queue entries",
|
|
"deleted", pruned,
|
|
)
|
|
}
|
|
}
|
|
|
|
messageMaxAge := hdlr.parseDurationConfig(
|
|
"MESSAGE_MAX_AGE",
|
|
hdlr.params.Config.MessageMaxAge,
|
|
)
|
|
if messageMaxAge > 0 {
|
|
msgCutoff := time.Now().Add(-messageMaxAge)
|
|
|
|
pruned, err := hdlr.params.Database.
|
|
PruneOldMessages(ctx, msgCutoff)
|
|
if err != nil {
|
|
hdlr.log.Error(
|
|
"message pruning failed", "error", err,
|
|
)
|
|
} else if pruned > 0 {
|
|
hdlr.log.Info(
|
|
"pruned old messages",
|
|
"deleted", pruned,
|
|
)
|
|
}
|
|
}
|
|
|
|
// Prune spent hashcash tokens older than 1 year.
|
|
hashcashCutoff := time.Now().Add(-spentHashcashTTL)
|
|
|
|
pruned, err := hdlr.params.Database.
|
|
PruneSpentHashcash(ctx, hashcashCutoff)
|
|
if err != nil {
|
|
hdlr.log.Error(
|
|
"spent hashcash pruning failed", "error", err,
|
|
)
|
|
} else if pruned > 0 {
|
|
hdlr.log.Info(
|
|
"pruned spent hashcash tokens",
|
|
"deleted", pruned,
|
|
)
|
|
}
|
|
}
|