FEATURE (auth): Add rate limiting for sign in edpoint to not allow brute force

Author: RostislavDugin

backend/.pre-commit-config.yaml

@@ -19,6 +19,7 @@ require (
 	github.com/swaggo/gin-swagger v1.6.0
 	github.com/swaggo/swag v1.16.4
 	golang.org/x/crypto v0.39.0
+	golang.org/x/time v0.12.0
 	gorm.io/driver/postgres v1.5.11
 	gorm.io/gorm v1.26.1
 )

backend/go.mod

@@ -252,6 +252,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
 golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
+golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
+golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=

backend/go.sum

@@ -4,10 +4,12 @@ import (
 	"net/http"
 
 	"github.com/gin-gonic/gin"
+	"golang.org/x/time/rate"
 )
 
 type UserController struct {
-	userService *UserService
+	userService   *UserService
+	signinLimiter *rate.Limiter
 }
 
 func (c *UserController) RegisterRoutes(router *gin.RouterGroup) {
@@ -51,8 +53,18 @@ func (c *UserController) SignUp(ctx *gin.Context) {
 // @Param request body SignInRequest true "User signin data"
 // @Success 200 {object} SignInResponse
 // @Failure 400
+// @Failure 429 {object} map[string]string "Rate limit exceeded"
 // @Router /users/signin [post]
 func (c *UserController) SignIn(ctx *gin.Context) {
+	// We use rate limiter to prevent brute force attacks
+	if !c.signinLimiter.Allow() {
+		ctx.JSON(
+			http.StatusTooManyRequests,
+			gin.H{"error": "Rate limit exceeded. Please try again later."},
+		)
+		return
+	}
+
 	var request SignInRequest
 	if err := ctx.ShouldBindJSON(&request); err != nil {
 		ctx.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request format"})

backend/internal/features/users/controller.go

@@ -2,6 +2,8 @@ package users
 
 import (
 	user_repositories "postgresus-backend/internal/features/users/repositories"
+
+	"golang.org/x/time/rate"
 )
 
 var secretKeyRepository = &user_repositories.SecretKeyRepository{}
@@ -12,6 +14,7 @@ var userService = &UserService{
 }
 var userController = &UserController{
 	userService,
+	rate.NewLimiter(rate.Limit(3), 3), // 3 RPS with burst of 3
 }
 
 func GetUserService() *UserService {

backend/internal/features/users/di.go

@@ -86,15 +86,14 @@ Notifications flow:
 
 Extra:
 
-- add brute force protection on auth (via local RPS limiter) (in progress by Rostislav Dugin)
-- create pretty website like rybbit.io with demo
 - add HTTPS for Postgresus
 - add simple SQL queries via UI
 - add support of Kubernetes Helm
+- create pretty website like rybbit.io with demo
 
 Monitoring flow:
 
-- add system metrics (CPU, RAM, disk, IO)
+- add system metrics (CPU, RAM, disk, IO) (in progress by Rostislav Dugin)
 - add queries stats (slowest, most frequent, etc. via pg_stat_statements)
 - add alerting for slow queries (listen for slow query and if they reach >100ms - send message)
 - add alerting for high resource usage (listen for high resource usage and if they reach >90% - send message)