sneak/upaas
1
0
Fork 0
Code Issues 21 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

Add rate limiting to login endpoint to prevent brute force (closes #12) #14

Merged
sneak merged 3 commits from :fix/issue-12 into main 2026-02-16 06:15:49 +01:00
Conversation 8 Commits 3 Files Changed 4 +354 -2

3 Commits

Author SHA1 Message Date
clawbot
ef0786c4b4 fix: extract real client IP from proxy headers (X-Real-IP / X-Forwarded-For) 
Behind a reverse proxy like Traefik, RemoteAddr always contains the
proxy's IP. Add realIP() helper that checks X-Real-IP first, then the
first entry of X-Forwarded-For, falling back to RemoteAddr.

Update both LoginRateLimit and Logging middleware to use realIP().
Add comprehensive tests for the new function.

Fixes #12
 2026-02-15 21:14:12 -08:00
user
a1b06219e7 fix: add eviction for stale IP rate limiter entries and Retry-After header 
- Store lastSeen timestamp per IP limiter entry
- Lazy sweep removes entries older than 10 minutes on each request
- Add Retry-After header to 429 responses
- Add test for stale entry eviction

Fixes memory leak under sustained attack from many IPs.
 2026-02-15 21:01:11 -08:00
clawbot
66661d1b1d Add rate limiting to login endpoint to prevent brute force 
Apply per-IP rate limiting (5 attempts/minute) to POST /login using
golang.org/x/time/rate. Returns 429 Too Many Requests when exceeded.

Closes #12
 2026-02-15 21:01:11 -08:00