mirror of
https://github.com/NoFxAiOS/nofx.git
synced 2026-07-07 13:00:59 +08:00
security: login rate limiting, fix health endpoint, harden error handling
- Fix health endpoint returning null time (use time.Now() instead of context value) - Add LoginRateLimiter: 5 attempts per 15min window, 5min block on brute-force - Apply rate limiting to login/register endpoints - Move reset-password to authenticated routes (was unauthenticated — critical vuln) - Limit response body sizes on proxy/external API calls (prevent memory exhaustion) - Sanitize error messages in agent chat endpoint (don't leak internal errors) - Record login success/failure for rate limiting tracking
This commit is contained in:
@@ -136,6 +136,10 @@ func (s *Server) handleLogin(c *gin.Context) {
|
||||
|
||||
// Verify password
|
||||
if !auth.CheckPassword(req.Password, user.PasswordHash) {
|
||||
// Record failed attempt for rate limiting
|
||||
if s.loginLimiter != nil {
|
||||
s.loginLimiter.RecordFailure(c.ClientIP())
|
||||
}
|
||||
c.JSON(http.StatusUnauthorized, gin.H{"error": "Email or password incorrect"})
|
||||
return
|
||||
}
|
||||
@@ -147,6 +151,11 @@ func (s *Server) handleLogin(c *gin.Context) {
|
||||
return
|
||||
}
|
||||
|
||||
// Clear rate limit on success
|
||||
if s.loginLimiter != nil {
|
||||
s.loginLimiter.RecordSuccess(c.ClientIP())
|
||||
}
|
||||
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"token": token,
|
||||
"user_id": user.ID,
|
||||
|
||||
Reference in New Issue
Block a user