-
This commit is contained in:
@ -23,23 +23,25 @@ import (
|
||||
|
||||
// SecurityMiddleware provides various security features
|
||||
type SecurityMiddleware struct {
|
||||
config config.ConfigProvider
|
||||
logger *zap.Logger
|
||||
cacheManager *cache.CacheManager
|
||||
appRepo repository.ApplicationRepository
|
||||
rateLimiters map[string]*rate.Limiter
|
||||
mu sync.RWMutex
|
||||
config config.ConfigProvider
|
||||
logger *zap.Logger
|
||||
cacheManager *cache.CacheManager
|
||||
appRepo repository.ApplicationRepository
|
||||
rateLimiters map[string]*rate.Limiter
|
||||
authRateLimiters map[string]*rate.Limiter
|
||||
mu sync.RWMutex
|
||||
}
|
||||
|
||||
// NewSecurityMiddleware creates a new security middleware
|
||||
func NewSecurityMiddleware(config config.ConfigProvider, logger *zap.Logger, appRepo repository.ApplicationRepository) *SecurityMiddleware {
|
||||
cacheManager := cache.NewCacheManager(config, logger)
|
||||
return &SecurityMiddleware{
|
||||
config: config,
|
||||
logger: logger,
|
||||
cacheManager: cacheManager,
|
||||
appRepo: appRepo,
|
||||
rateLimiters: make(map[string]*rate.Limiter),
|
||||
config: config,
|
||||
logger: logger,
|
||||
cacheManager: cacheManager,
|
||||
appRepo: appRepo,
|
||||
rateLimiters: make(map[string]*rate.Limiter),
|
||||
authRateLimiters: make(map[string]*rate.Limiter),
|
||||
}
|
||||
}
|
||||
|
||||
@ -76,6 +78,38 @@ func (s *SecurityMiddleware) RateLimitMiddleware(next http.Handler) http.Handler
|
||||
})
|
||||
}
|
||||
|
||||
// AuthRateLimitMiddleware implements stricter rate limiting for authentication endpoints
|
||||
func (s *SecurityMiddleware) AuthRateLimitMiddleware(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
if !s.config.GetBool("RATE_LIMIT_ENABLED") {
|
||||
next.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
|
||||
clientIP := s.getClientIP(r)
|
||||
|
||||
// Use stricter rate limits for auth endpoints
|
||||
limiter := s.getAuthRateLimiter(clientIP)
|
||||
|
||||
// Check if request is allowed
|
||||
if !limiter.Allow() {
|
||||
s.logger.Warn("Auth rate limit exceeded",
|
||||
zap.String("client_ip", clientIP),
|
||||
zap.String("path", r.URL.Path))
|
||||
|
||||
// Track authentication failures for brute force protection
|
||||
s.TrackAuthenticationFailure(clientIP, "")
|
||||
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
w.WriteHeader(http.StatusTooManyRequests)
|
||||
w.Write([]byte(`{"error":"auth_rate_limit_exceeded","message":"Too many authentication attempts"}`))
|
||||
return
|
||||
}
|
||||
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
|
||||
// BruteForceProtectionMiddleware implements brute force protection
|
||||
func (s *SecurityMiddleware) BruteForceProtectionMiddleware(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
@ -231,6 +265,35 @@ func (s *SecurityMiddleware) getRateLimiter(clientIP string) *rate.Limiter {
|
||||
return limiter
|
||||
}
|
||||
|
||||
func (s *SecurityMiddleware) getAuthRateLimiter(clientIP string) *rate.Limiter {
|
||||
s.mu.RLock()
|
||||
limiter, exists := s.authRateLimiters[clientIP]
|
||||
s.mu.RUnlock()
|
||||
|
||||
if exists {
|
||||
return limiter
|
||||
}
|
||||
|
||||
// Create new auth rate limiter with stricter limits
|
||||
authRPS := s.config.GetInt("AUTH_RATE_LIMIT_RPS")
|
||||
if authRPS <= 0 {
|
||||
authRPS = 5 // Very strict default for auth endpoints
|
||||
}
|
||||
|
||||
authBurst := s.config.GetInt("AUTH_RATE_LIMIT_BURST")
|
||||
if authBurst <= 0 {
|
||||
authBurst = 10 // Allow small bursts
|
||||
}
|
||||
|
||||
limiter = rate.NewLimiter(rate.Limit(authRPS), authBurst)
|
||||
|
||||
s.mu.Lock()
|
||||
s.authRateLimiters[clientIP] = limiter
|
||||
s.mu.Unlock()
|
||||
|
||||
return limiter
|
||||
}
|
||||
|
||||
func (s *SecurityMiddleware) trackRateLimitViolation(clientIP string) {
|
||||
ctx := context.Background()
|
||||
key := cache.CacheKey("rate_limit_violations", clientIP)
|
||||
|
||||
Reference in New Issue
Block a user