tech/tanabata
1
1
Fork 0
Code Pull Requests Actions Releases Activity

fix(backend): rate-limit login and refresh endpoints

Browse Source 
/auth/login and /auth/refresh had no throttling, allowing unbounded
password brute-force attempts. Add a process-local fixed-window limiter
(10 requests/minute per client IP) in front of both.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Masahiko AMANO
2026-06-10 14:14:51 +03:00
parent 40c91cec55
commit aff270fa44
2 changed files with 82 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/internal/handler/router.go
+5 -2
View File
@@ -2,6 +2,7 @@ package handler
import (
"net/http"
"time"
"github.com/gin-gonic/gin"
)
@@ -46,8 +47,10 @@ func NewRouter(
// -------------------------------------------------------------------------
authGroup := v1.Group("/auth")
{
authGroup.POST("/login", authHandler.Login)
authGroup.POST("/refresh", authHandler.Refresh)
// Throttle credential endpoints per client IP to slow brute force.
authLimiter := newRateLimiter(10, time.Minute).Middleware()
authGroup.POST("/login", authLimiter, authHandler.Login)
authGroup.POST("/refresh", authLimiter, authHandler.Refresh)
protected := authGroup.Group("", auth.Handle())
{