feat(auth): wire lockout, rate-limit, and constant-time login into both routes
All checks were successful
Deploy to Homelab / deploy (push) Successful in 18s
All checks were successful
Deploy to Homelab / deploy (push) Successful in 18s
Both POST /login (HTML form) and POST /api/v1/auth/login now flow through the shared attemptLogin() handler. Locked accounts respond with 401 + Retry-After (generic body "Invalid credentials" / "Invalid username or password") so attackers can't use lockout state as a username-existence oracle. @fastify/rate-limit registered with global=false; only the two login routes opt in via per-route rateLimit config. File uploads and downloads keep full throughput. Custom errorResponseBuilder logs AUTH_RATE_LIMITED fire-and-forget so fail2ban can pick it up. createTestApp now accepts Partial<Config> overrides so integration tests can dial thresholds down without env-var mutation.
This commit is contained in:
@@ -4,11 +4,13 @@ import fastifyJwt from '@fastify/jwt';
|
||||
import fastifyMultipart from '@fastify/multipart';
|
||||
import fastifyFormbody from '@fastify/formbody';
|
||||
import fastifyStatic from '@fastify/static';
|
||||
import fastifyRateLimit from '@fastify/rate-limit';
|
||||
import { join } from 'path';
|
||||
import { fileURLToPath } from 'url';
|
||||
import type Database from 'better-sqlite3';
|
||||
import type { Config } from './config.ts';
|
||||
import { createLogger } from './middleware/logging.ts';
|
||||
import { createLockoutService } from './services/lockout.ts';
|
||||
import { authApiRoutes } from './routes/api/v1/auth.ts';
|
||||
import { filesApiRoutes } from './routes/api/v1/files.ts';
|
||||
import { pageRoutes } from './routes/pages.ts';
|
||||
@@ -23,6 +25,7 @@ interface ServerDeps {
|
||||
export function createServer({ config, db }: ServerDeps) {
|
||||
const app = Fastify({ logger: false, trustProxy: config.trustProxy });
|
||||
const logger = createLogger(config.logFile);
|
||||
const lockout = createLockoutService({ db, config });
|
||||
|
||||
app.register(fastifyCookie);
|
||||
app.register(fastifyJwt, {
|
||||
@@ -35,8 +38,20 @@ export function createServer({ config, db }: ServerDeps) {
|
||||
root: join(__dirname, '..', 'public'),
|
||||
prefix: '/public/',
|
||||
});
|
||||
app.register(fastifyRateLimit, {
|
||||
global: false,
|
||||
keyGenerator: (req) => req.ip,
|
||||
errorResponseBuilder: (req) => {
|
||||
void logger.authRateLimited({
|
||||
ip: req.ip,
|
||||
userAgent: req.headers['user-agent'] ?? '',
|
||||
route: req.url,
|
||||
});
|
||||
return { statusCode: 429, error: 'Too many requests' };
|
||||
},
|
||||
});
|
||||
|
||||
const deps = { db, config, logger };
|
||||
const deps = { db, config, logger, lockout };
|
||||
|
||||
app.register(authApiRoutes, { prefix: '/api/v1/auth', deps });
|
||||
app.register(filesApiRoutes, { prefix: '/api/v1/files', deps });
|
||||
|
||||
Reference in New Issue
Block a user