brendan/nanodrop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): wire lockout, rate-limit, and constant-time login into both routes
All checks were successful
Deploy to Homelab / deploy (push) Successful in 18s
Details

Browse Source 
Both POST /login (HTML form) and POST /api/v1/auth/login now flow through
the shared attemptLogin() handler. Locked accounts respond with 401 +
Retry-After (generic body "Invalid credentials" / "Invalid username or
password") so attackers can't use lockout state as a username-existence
oracle.

@fastify/rate-limit registered with global=false; only the two login
routes opt in via per-route rateLimit config. File uploads and downloads
keep full throughput. Custom errorResponseBuilder logs AUTH_RATE_LIMITED
fire-and-forget so fail2ban can pick it up.

createTestApp now accepts Partial<Config> overrides so integration tests
can dial thresholds down without env-var mutation.
This commit is contained in:
Brendan Chen
2026-05-03 03:41:51 -07:00
parent ad36b23061
commit bbd292c085
6 changed files with 307 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

135
tests/integration/auth-lockout.test.ts Normal file
View File

@@ -0,0 +1,135 @@
import { describe, it, expect, beforeEach, afterEach } from 'vitest';
import { readFileSync } from 'fs';
import { createTestApp, type TestContext } from '../helpers/setup.ts';
import { createUser } from '../../src/db/users.ts';
import { hashPassword } from '../../src/services/auth.ts';
async function attempt(
ctx: TestContext,
username: string,
password: string,
ip = '203.0.113.7',
) {
return ctx.app.inject({
method: 'POST',
url: '/api/v1/auth/login',
headers: { 'content-type': 'application/json', 'x-forwarded-for': ip },
body: JSON.stringify({ username, password }),
});
}
describe('account lockout — JSON login', () => {
let ctx: TestContext;
beforeEach(async () => {
ctx = createTestApp({
lockoutThreshold: 3,
lockoutBaseSeconds: 60,
loginMinResponseMs: 0,
loginRateLimitMax: 1000, // effectively off for these cases
});
const hash = await hashPassword('correct-pw');
createUser(ctx.db, { username: 'alice', passwordHash: hash });
});
afterEach(async () => {
await ctx.app.close();
ctx.cleanup();
});
it('locks after threshold failed attempts and emits AUTH_LOCKOUT_TRIGGERED', async () => {
await attempt(ctx, 'alice', 'wrong');
await attempt(ctx, 'alice', 'wrong');
const third = await attempt(ctx, 'alice', 'wrong');
expect(third.statusCode).toBe(401);
const log = readFileSync(ctx.logFile, 'utf-8');
expect(log).toMatch(/AUTH_LOCKOUT_TRIGGERED/);
expect(log).toMatch(/duration_seconds=60/);
});
it('rejects correct password while locked with Retry-After header', async () => {
await attempt(ctx, 'alice', 'wrong');
await attempt(ctx, 'alice', 'wrong');
await attempt(ctx, 'alice', 'wrong');
const blocked = await attempt(ctx, 'alice', 'correct-pw');
expect(blocked.statusCode).toBe(401);
expect(blocked.headers['retry-after']).toBeDefined();
expect(parseInt(String(blocked.headers['retry-after']), 10)).toBeGreaterThan(0);
// No success log was written for the locked attempt
const log = readFileSync(ctx.logFile, 'utf-8');
expect(log).not.toMatch(/AUTH_SUCCESS/);
});
it('successful login resets the counter', async () => {
await attempt(ctx, 'alice', 'wrong');
await attempt(ctx, 'alice', 'wrong');
const ok = await attempt(ctx, 'alice', 'correct-pw');
expect(ok.statusCode).toBe(200);
// After reset, two more wrong attempts should NOT lock (threshold is 3)
await attempt(ctx, 'alice', 'wrong');
const second = await attempt(ctx, 'alice', 'wrong');
expect(second.statusCode).toBe(401);
expect(second.headers['retry-after']).toBeUndefined();
});
it('canonicalizes username — ALICE and alice share the same lockout row', async () => {
await attempt(ctx, 'ALICE', 'wrong');
await attempt(ctx, 'Alice', 'wrong');
const third = await attempt(ctx, 'alice', 'wrong');
expect(third.statusCode).toBe(401);
const log = readFileSync(ctx.logFile, 'utf-8');
expect(log).toMatch(/AUTH_LOCKOUT_TRIGGERED/);
});
it('unknown user accumulates failures (no enumeration via bypass)', async () => {
await attempt(ctx, 'ghost', 'x');
await attempt(ctx, 'ghost', 'x');
await attempt(ctx, 'ghost', 'x');
const fourth = await attempt(ctx, 'ghost', 'x');
expect(fourth.statusCode).toBe(401);
expect(fourth.headers['retry-after']).toBeDefined();
});
});
describe('account lockout — form login', () => {
let ctx: TestContext;
beforeEach(async () => {
ctx = createTestApp({
lockoutThreshold: 2,
lockoutBaseSeconds: 30,
loginMinResponseMs: 0,
loginRateLimitMax: 1000,
});
const hash = await hashPassword('correct-pw');
createUser(ctx.db, { username: 'alice', passwordHash: hash });
});
afterEach(async () => {
await ctx.app.close();
ctx.cleanup();
});
async function formAttempt(username: string, password: string) {
return ctx.app.inject({
method: 'POST',
url: '/login',
headers: { 'content-type': 'application/x-www-form-urlencoded' },
payload: `username=${encodeURIComponent(username)}&password=${encodeURIComponent(password)}`,
});
}
it('locks the form login and renders generic error with Retry-After', async () => {
await formAttempt('alice', 'wrong');
await formAttempt('alice', 'wrong');
const blocked = await formAttempt('alice', 'correct-pw');
expect(blocked.statusCode).toBe(200); // login page re-render, not redirect
expect(blocked.body).toContain('Invalid username or password');
expect(blocked.headers['retry-after']).toBeDefined();
});
});

71
tests/integration/auth-rate-limit.test.ts Normal file
View File

@@ -0,0 +1,71 @@
import { describe, it, expect, beforeEach, afterEach } from 'vitest';
import { readFileSync } from 'fs';
import { createTestApp, type TestContext } from '../helpers/setup.ts';
import { createUser } from '../../src/db/users.ts';
import { hashPassword } from '../../src/services/auth.ts';
describe('per-IP rate limit on login routes', () => {
let ctx: TestContext;
beforeEach(async () => {
ctx = createTestApp({
loginRateLimitMax: 3,
loginRateLimitWindowSeconds: 60,
lockoutThreshold: 100, // disable lockout for this suite
loginMinResponseMs: 0,
});
const hash = await hashPassword('correct-pw');
createUser(ctx.db, { username: 'alice', passwordHash: hash });
});
afterEach(async () => {
await ctx.app.close();
ctx.cleanup();
});
async function loginRequest() {
return ctx.app.inject({
method: 'POST',
url: '/api/v1/auth/login',
headers: { 'content-type': 'application/json' },
body: JSON.stringify({ username: 'alice', password: 'wrong' }),
});
}
it('returns 429 once IP exceeds the per-route limit and logs AUTH_RATE_LIMITED', async () => {
expect((await loginRequest()).statusCode).toBe(401);
expect((await loginRequest()).statusCode).toBe(401);
expect((await loginRequest()).statusCode).toBe(401);
const fourth = await loginRequest();
expect(fourth.statusCode).toBe(429);
expect(fourth.json().error).toBe('Too many requests');
// Wait for fire-and-forget log write
await new Promise((r) => setTimeout(r, 50));
const log = readFileSync(ctx.logFile, 'utf-8');
expect(log).toMatch(/AUTH_RATE_LIMITED/);
expect(log).toMatch(/route="\/api\/v1\/auth\/login"/);
});
it('does NOT throttle the file upload endpoint', async () => {
// First, get a valid session
const loginRes = await ctx.app.inject({
method: 'POST',
url: '/api/v1/auth/login',
headers: { 'content-type': 'application/json' },
body: JSON.stringify({ username: 'alice', password: 'correct-pw' }),
});
expect(loginRes.statusCode).toBe(200);
const cookie = (loginRes.headers['set-cookie'] as string).split(';')[0].replace('token=', '');
// Now hit /upload (GET) repeatedly past the login-route limit threshold
for (let i = 0; i < 6; i++) {
const r = await ctx.app.inject({
method: 'GET',
url: '/upload',
cookies: { token: cookie },
});
expect(r.statusCode).toBe(200);
}
});
});