Skip to content

security: rate limiting on auth endpoints (F-01/F-02)#93

Merged
Abrechen2 merged 1 commit intomasterfrom
security/rate-limiting
Mar 16, 2026
Merged

security: rate limiting on auth endpoints (F-01/F-02)#93
Abrechen2 merged 1 commit intomasterfrom
security/rate-limiting

Conversation

@Abrechen2
Copy link
Copy Markdown
Owner

@Abrechen2 Abrechen2 commented Mar 16, 2026

Summary

Follow-up to #92. Fixes the two HIGH-severity findings from the 2026-03-16 internal Kali pentest.

  • F-01 (HIGH) — API key brute-force: per-IP sliding-window failure counter in `auth.py`. After 20 failed attempts within 60 s the IP receives `429 Too Many Requests` with `Retry-After: 60`. Uses `threading.Lock` + `defaultdict` — no external dependency, works correctly in single-worker Gunicorn.
  • F-02 (HIGH) — Login brute-force: `@limiter.limit("10/minute; 30/hour")` on `POST /api/v1/auth/login` via flask-limiter 4.1.1 (added to `requirements.txt`). Limiter instance lives in `extensions.py`, `init_app()` called in `create_app()`.
  • F-05 (MEDIUM) — Webhook exemption footgun documented with an explicit `IMPORTANT` comment in `auth.py` warning future developers.
  • F-09 (LOW) — rpcbind service + socket unit disabled on LXC CT101 (infra fix, already applied; port 111 confirmed closed via nmap).

Test plan

  • `ruff check . && ruff format --check .` — clean
  • `pytest tests/test_auth.py tests/test_security.py tests/test_routes_auth_ui.py` — 48/48 passed
  • Manual: 21 wrong API key requests → 21st returns 429 with Retry-After header
  • Manual: 11 login attempts in < 1 min → 11th returns 429
  • `nmap -p 111 192.168.178.194` → port closed (already confirmed)

@DennisSico
security: rate limiting on auth endpoints + rpcbind disabled (F-01/02…
ab7ac89 
…/05/09)

F-01 — API key brute-force protection: per-IP failure counter in auth.py
tracks failed attempts in a 60s sliding window; returns 429 + Retry-After
after 20 failures from the same IP.

F-02 — Login brute-force protection: @limiter.limit("10/minute; 30/hour")
on POST /api/v1/auth/login via flask-limiter 4.1.1 (added to requirements.txt,
Limiter instance in extensions.py, init_app() in create_app()).

F-05 — Webhook exemption documented with explicit IMPORTANT comment warning
future developers that new webhook handlers must implement their own auth.

F-09 — rpcbind service and socket unit disabled on LXC CT101 (pve-node1);
port 111 confirmed closed via nmap from Kali VM.
@Abrechen2 Abrechen2 force-pushed the security/rate-limiting branch from 0af0a3a to ab7ac89 Compare March 16, 2026 19:48
@Abrechen2 Abrechen2 merged commit c6c0a77 into master Mar 16, 2026
6 checks passed
@Abrechen2 Abrechen2 deleted the security/rate-limiting branch March 16, 2026 19:58
@Abrechen2 Abrechen2 mentioned this pull request Mar 16, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Abrechen2 @DennisSico