makiolaj/GearBox
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases 10 Wiki Activity

feat: add rate limiting on login and setup endpoints

Browse Source 
Implement in-memory rate limiter with 5 attempts per 15-minute window per IP address. Protects brute-force attacks on credential endpoints.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Jean-Luc Makiola
2026-04-03 15:36:03 +02:00
parent 41a2910aeb
commit 2dddba9a08
2 changed files with 51 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
src/server/middleware/rateLimit.ts Normal file
View File

@@ -0,0 +1,48 @@
import type { Context, Next } from "hono";
interface RateLimitEntry {
count: number;
resetAt: number;
}
const store = new Map<string, RateLimitEntry>();
const MAX_ATTEMPTS = 5;
const WINDOW_MS = 15 * 60 * 1000; // 15 minutes
function getClientIp(c: Context): string {
return c.req.header("x-forwarded-for")?.split(",")[0]?.trim() || "unknown";
}
function cleanup() {
const now = Date.now();
for (const [key, entry] of store) {
if (now >= entry.resetAt) {
store.delete(key);
}
}
}
export async function rateLimit(c: Context, next: Next) {
cleanup();
const ip = getClientIp(c);
const key = `${ip}:${c.req.path}`;
const now = Date.now();
const entry = store.get(key);
if (!entry || now >= entry.resetAt) {
store.set(key, { count: 1, resetAt: now + WINDOW_MS });
return next();
}
if (entry.count >= MAX_ATTEMPTS) {
const retryAfter = Math.ceil((entry.resetAt - now) / 1000);
c.header("Retry-After", String(retryAfter));
return c.json({ error: "Too many attempts. Try again later." }, 429);
}
entry.count++;
return next();
}

5
src/server/routes/auth.ts
View File

@@ -6,6 +6,7 @@ import { z } from "zod";
import { users } from "../../db/schema.ts"; import { users } from "../../db/schema.ts";
import { parseId } from "../lib/params.ts"; import { parseId } from "../lib/params.ts";
import { requireAuth } from "../middleware/auth.ts"; import { requireAuth } from "../middleware/auth.ts";
import { rateLimit } from "../middleware/rateLimit.ts";
import { import {
changePassword, changePassword,
createApiKey, createApiKey,
@@ -60,7 +61,7 @@ app.get("/me", (c) => {
return c.json({ user: null, setupRequired }); return c.json({ user: null, setupRequired });
}); });
app.post("/setup", zValidator("json", setupSchema), async (c) => { app.post("/setup", rateLimit, zValidator("json", setupSchema), async (c) => {
const db = c.get("db"); const db = c.get("db");
if (getUserCount(db) > 0) { if (getUserCount(db) > 0) {
@@ -81,7 +82,7 @@ app.post("/setup", zValidator("json", setupSchema), async (c) => {
return c.json({ username: user.username }, 201); return c.json({ username: user.username }, 201);
}); });
app.post("/login", zValidator("json", loginSchema), async (c) => { app.post("/login", rateLimit, zValidator("json", loginSchema), async (c) => {
const db = c.get("db"); const db = c.get("db");
const { username, password } = c.req.valid("json"); const { username, password } = c.req.valid("json");