feat(auth): wire lockout, rate-limit, and constant-time login into both routes

Both POST /login (HTML form) and POST /api/v1/auth/login now flow through the shared attemptLogin() handler. Locked accounts respond with 401 + Retry-After (generic body "Invalid credentials" / "Invalid username or password") so attackers can't use lockout state as a username-existence oracle. @fastify/rate-limit registered with global=false; only the two login routes opt in via per-route rateLimit config. File uploads and downloads keep full throughput. Custom errorResponseBuilder logs AUTH_RATE_LIMITED fire-and-forget so fail2ban can pick it up. createTestApp now accepts Partial<Config> overrides so integration tests can dial thresholds down without env-var mutation.
2026-05-03 03:41:51 -07:00
parent ad36b23061
commit bbd292c085
6 changed files with 307 additions and 38 deletions
--- a/src/routes/api/v1/auth.ts
+++ b/src/routes/api/v1/auth.ts
@@ -2,14 +2,15 @@ import type { FastifyPluginAsync } from 'fastify';
 import type Database from 'better-sqlite3';
 import type { Config } from '../../../config.ts';
 import type { Logger } from '../../../middleware/logging.ts';
-import { getUserByUsername } from '../../../db/users.ts';
-import { verifyPassword } from '../../../services/auth.ts';
+import type { LockoutService } from '../../../services/lockout.ts';
+import { attemptLogin } from '../../../services/login-handler.ts';
 import { requireAuth, tokenCookieOptions } from '../../../middleware/auth.ts';

 interface Deps {
  db: Database.Database;
  config: Config;
  logger: Logger;
+  lockout: LockoutService;
 }

 interface LoginBody {
@@ -18,30 +19,50 @@ interface LoginBody {
 }

 export const authApiRoutes: FastifyPluginAsync<{ deps: Deps }> = async (app, { deps }) => {
-  const { db, config, logger } = deps;
+  const { config } = deps;

-  app.post<{ Body: LoginBody }>('/login', async (request, reply) => {
-    const { username, password } = request.body ?? {};
-    const ip = request.ip;
-    const userAgent = request.headers['user-agent'] ?? '';
+  app.post<{ Body: LoginBody }>(
+    '/login',
+    {
+      config: {
+        rateLimit: {
+          max: config.loginRateLimitMax,
+          timeWindow: config.loginRateLimitWindowSeconds * 1000,
+        },
+      },
+    },
+    async (request, reply) => {
+      const { username, password } = request.body ?? {};

-    if (!username || !password) {
-      return reply.status(400).send({ error: 'username and password are required' });
-    }
+      const result = await attemptLogin(deps, {
+        username: username ?? '',
+        password: password ?? '',
+        ip: request.ip,
+        userAgent: request.headers['user-agent'] ?? '',
+      });

-    const user = getUserByUsername(db, username);
-    const valid = user ? await verifyPassword(password, user.password_hash) : false;
+      if (result.kind === 'bad_request') {
+        return reply.status(400).send({ error: 'username and password are required' });
+      }

-    if (!user || !valid) {
-      await logger.authFailure({ ip, userAgent, username });
-      return reply.status(401).send({ error: 'Invalid credentials' });
-    }
+      if (result.kind === 'locked') {
+        return reply
+          .status(401)
+          .header('Retry-After', String(result.retryAfterSeconds))
+          .send({ error: 'Invalid credentials' });
+      }

-    await logger.authSuccess({ ip, userAgent, username });
+      if (result.kind === 'bad_credentials') {
+        return reply.status(401).send({ error: 'Invalid credentials' });
+      }

-    const token = app.jwt.sign({ sub: user.id, username: user.username }, { expiresIn: config.jwtExpiry });
-    reply.setCookie('token', token, tokenCookieOptions(config.cookieSecure)).send({ ok: true });
-  });
+      const token = app.jwt.sign(
+        { sub: result.user.id, username: result.user.username },
+        { expiresIn: config.jwtExpiry },
+      );
+      reply.setCookie('token', token, tokenCookieOptions(config.cookieSecure)).send({ ok: true });
+    },
+  );

  app.post('/logout', { preHandler: requireAuth }, async (_request, reply) => {
    reply.clearCookie('token', { path: '/' }).send({ ok: true });
--- a/src/routes/pages.ts
+++ b/src/routes/pages.ts
@@ -6,10 +6,10 @@ import type Database from 'better-sqlite3';
 import type { Config } from '../config.ts';
 import type { Logger } from '../middleware/logging.ts';
 import type { JwtPayload } from '../types.ts';
-import { getUserByUsername } from '../db/users.ts';
+import type { LockoutService } from '../services/lockout.ts';
 import { createFile, getFileById, getFilesByUserId, deleteFile } from '../db/files.ts';
-import { verifyPassword } from '../services/auth.ts';
 import { saveFile, deleteStoredFile, getFilePath } from '../services/storage.ts';
+import { attemptLogin } from '../services/login-handler.ts';
 import { requireAuth, tokenCookieOptions } from '../middleware/auth.ts';
 import { loginPage } from '../views/login.ts';
 import { uploadPage, uploadResultPage } from '../views/upload.ts';
@@ -21,6 +21,7 @@ interface Deps {
  db: Database.Database;
  config: Config;
  logger: Logger;
+  lockout: LockoutService;
 }

 function parseRangeHeader(header: string, fileSize: number): { start: number; end: number } | null {
@@ -48,6 +49,12 @@ function parseRangeHeader(header: string, fileSize: number): { start: number; en

 export const pageRoutes: FastifyPluginAsync<{ deps: Deps }> = async (app, { deps }) => {
  const { db, config, logger } = deps;
+  const loginRateLimit = {
+    rateLimit: {
+      max: config.loginRateLimitMax,
+      timeWindow: config.loginRateLimitWindowSeconds * 1000,
+    },
+  };

  // GET / — login page or redirect if authed
  app.get('/', async (request, reply) => {
@@ -60,24 +67,37 @@ export const pageRoutes: FastifyPluginAsync<{ deps: Deps }> = async (app, { deps
  });

  // POST /login — form login
-  app.post<{ Body: { username?: string; password?: string } }>('/login', async (request, reply) => {
-    const { username = '', password = '' } = request.body ?? {};
-    const ip = request.ip;
-    const userAgent = request.headers['user-agent'] ?? '';
+  app.post<{ Body: { username?: string; password?: string } }>(
+    '/login',
+    { config: loginRateLimit },
+    async (request, reply) => {
+      const { username = '', password = '' } = request.body ?? {};

-    const user = getUserByUsername(db, username);
-    const valid = user ? await verifyPassword(password, user.password_hash) : false;
+      const result = await attemptLogin(deps, {
+        username,
+        password,
+        ip: request.ip,
+        userAgent: request.headers['user-agent'] ?? '',
+      });

-    if (!user || !valid) {
-      await logger.authFailure({ ip, userAgent, username });
-      return reply.type('text/html').send(loginPage({ error: 'Invalid username or password' }));
-    }
+      if (result.kind === 'locked') {
+        return reply
+          .type('text/html')
+          .header('Retry-After', String(result.retryAfterSeconds))
+          .send(loginPage({ error: 'Invalid username or password' }));
+      }

-    await logger.authSuccess({ ip, userAgent, username });
+      if (result.kind !== 'success') {
+        return reply.type('text/html').send(loginPage({ error: 'Invalid username or password' }));
+      }

-    const token = app.jwt.sign({ sub: user.id, username: user.username }, { expiresIn: config.jwtExpiry });
-    reply.setCookie('token', token, tokenCookieOptions(config.cookieSecure)).redirect('/upload');
-  });
+      const token = app.jwt.sign(
+        { sub: result.user.id, username: result.user.username },
+        { expiresIn: config.jwtExpiry },
+      );
+      reply.setCookie('token', token, tokenCookieOptions(config.cookieSecure)).redirect('/upload');
+    },
+  );

  // POST /logout
  app.post('/logout', { preHandler: requireAuth }, async (_request, reply) => {
--- a/src/server.ts
+++ b/src/server.ts
@@ -4,11 +4,13 @@ import fastifyJwt from '@fastify/jwt';
 import fastifyMultipart from '@fastify/multipart';
 import fastifyFormbody from '@fastify/formbody';
 import fastifyStatic from '@fastify/static';
+import fastifyRateLimit from '@fastify/rate-limit';
 import { join } from 'path';
 import { fileURLToPath } from 'url';
 import type Database from 'better-sqlite3';
 import type { Config } from './config.ts';
 import { createLogger } from './middleware/logging.ts';
+import { createLockoutService } from './services/lockout.ts';
 import { authApiRoutes } from './routes/api/v1/auth.ts';
 import { filesApiRoutes } from './routes/api/v1/files.ts';
 import { pageRoutes } from './routes/pages.ts';
@@ -23,6 +25,7 @@ interface ServerDeps {
 export function createServer({ config, db }: ServerDeps) {
  const app = Fastify({ logger: false, trustProxy: config.trustProxy });
  const logger = createLogger(config.logFile);
+  const lockout = createLockoutService({ db, config });

  app.register(fastifyCookie);
  app.register(fastifyJwt, {
@@ -35,8 +38,20 @@ export function createServer({ config, db }: ServerDeps) {
    root: join(__dirname, '..', 'public'),
    prefix: '/public/',
  });
+  app.register(fastifyRateLimit, {
+    global: false,
+    keyGenerator: (req) => req.ip,
+    errorResponseBuilder: (req) => {
+      void logger.authRateLimited({
+        ip: req.ip,
+        userAgent: req.headers['user-agent'] ?? '',
+        route: req.url,
+      });
+      return { statusCode: 429, error: 'Too many requests' };
+    },
+  });

-  const deps = { db, config, logger };
+  const deps = { db, config, logger, lockout };

  app.register(authApiRoutes, { prefix: '/api/v1/auth', deps });
  app.register(filesApiRoutes, { prefix: '/api/v1/files', deps });