Bug: No rate limiting on login endpoint allows brute force #12

New Issue

clawbot · 2026-02-15T23:01:49+01:00

clawbot commented

2026-02-15 23:01:49 +01:00

Summary

POST /login has no rate limiting. An attacker can attempt unlimited password guesses.

Impact

Brute force attacks against the admin account are trivial.

Fix

Add rate limiting middleware to the login POST endpoint. A simple approach: use golang.org/x/time/rate or go-chi/httprate to limit login attempts per IP (e.g. 5 attempts per minute).

Location

internal/server/routes.go — /login route
internal/middleware/middleware.go — add rate limit middleware

## Summary `POST /login` has no rate limiting. An attacker can attempt unlimited password guesses. ## Impact Brute force attacks against the admin account are trivial. ## Fix Add rate limiting middleware to the login POST endpoint. A simple approach: use `golang.org/x/time/rate` or `go-chi/httprate` to limit login attempts per IP (e.g. 5 attempts per minute). ## Location `internal/server/routes.go` — `/login` route `internal/middleware/middleware.go` — add rate limit middleware

clawbot referenced a pull request that will close this issue

2026-02-15 23:05:36 +01:00

Add rate limiting to login endpoint to prevent brute force (closes #12) #14

sneak closed this issue

2026-02-16 06:15:49 +01:00

sneak referenced this issue from a commit

2026-02-16 06:15:49 +01:00

Add rate limiting to login endpoint to prevent brute force

sneak referenced this issue from a commit

2026-02-16 06:15:49 +01:00

fix: extract real client IP from proxy headers (X-Real-IP / X-Forwarded-For)

sneak referenced this issue from a commit