Skip to content

Missing Rate Limiting for Authentication Endpoints #6

New issue
New issue
Open
Open
Missing Rate Limiting for Authentication Endpoints#6
Labels
enhancementNew feature or requestlow priority
@KeepingRunning

Description

@KeepingRunning
KeepingRunning
opened on Jun 30, 2025

Description

The authentication endpoints currently lack rate limiting protection, making them vulnerable to brute force attacks and potential DoS (Denial of Service) attempts.

Affected Endpoints

  1. Password Login

    • File: internal/handler/auth.go
    • Method: LoginByPassword

  2. OAuth Login

    • File: internal/handler/auth.go
    • Method: LoginByOAuth

  3. OAuth Code URL Generation

    • File: internal/handler/auth.go
    • Method: GetOAuthCodeURL

Security Risks

  1. Brute Force Attacks

    • Attackers can make unlimited password login attempts
    • No cooldown period after failed attempts

  2. DoS Vulnerability

    • No limit on the number of requests per IP/user
    • Could overwhelm the service and Redis/Database

  3. Resource Exhaustion

    • Each OAuth state generation creates a Redis entry
    • Unlimited requests could fill up Redis storage

Suggest solution

  1. Add Configuration:
[rate_limit]
# Login attempts
login_max_attempts = 5
login_window_minutes = 15

# OAuth requests
oauth_max_requests = 10
oauth_window_minutes = 5

# Per IP limits
ip_max_requests = 100
ip_window_minutes = 1
  1. Apply in Handlers:
func (h *AuthHandler) LoginByPassword(ctx context.Context, req *userpb.LoginByPasswordRequest) (*userpb.LoginSession, error) {
    // Rate limit by IP
    ip := h.extractIPAddress(ctx)
    if err := h.rateLimiter.Limit(ctx, 
        fmt.Sprintf("rate:ip:%s", ip),
        h.config.RateLimit.IPMaxRequests,
        time.Duration(h.config.RateLimit.IPWindowMinutes) * time.Minute); err != nil {
        return nil, err
    }
    
    // Rate limit login attempts by email
    if err := h.rateLimiter.Limit(ctx,
        fmt.Sprintf("rate:login:%s", req.Email),
        h.config.RateLimit.LoginMaxAttempts,
        time.Duration(h.config.RateLimit.LoginWindowMinutes) * time.Minute); err != nil {
        return nil, err
    }
    
    // Existing login logic...
}

Implementation Benefits

  1. Security Enhancement

    • Prevents brute force attacks
    • Protects against DoS attempts
    • Limits resource consumption

  2. Monitoring & Alerts

    • Can track rate limit hits
    • Alert on suspicious activity
    • Identify potential attacks

  3. User Experience

    • Clear feedback on rate limits
    • Prevents account lockouts
    • Maintains service stability

Labels

  • security
  • enhancement
  • rate-limiting

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestlow priority

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions