Add rate limit to basic auth middleware (#5504)
* feat: add rate limiting to basic auth flow * fix: round up retry-after duration * feat: enhance point consume logic * fix: move unauthorized webpage reading inside response function * refactor: move getIpAddress to express-common * fix: check for rate limit before checking creds * fix: use correct rate limit pattern in /recover-step2 * feat: handle CF forwarded IP header in rate limit, whitelist and access logger * feat: add individual config toggles for forwarded headers * feat: enhance IP address retrieval to include forwarded IP for access logging * chore: clean-up diff * fix: don't consume points for missing credentials * feat: log rate limited method and URL Co-authored-by: Copilot <copilot@github.com> * feat: make rate limiter points configurable Co-authored-by: Copilot <copilot@github.com> * feat: implement retry-after header for rate limiting responses Co-authored-by: Copilot <copilot@github.com> --------- Co-authored-by: Copilot <copilot@github.com>
This commit is contained in:
Cohee
+18
-3
@@ -58,7 +58,7 @@ ssl:
|
||||
# -- SECURITY CONFIGURATION --
|
||||
# Toggle whitelist mode
|
||||
whitelistMode: true
|
||||
# Whitelist will also verify IP in X-Forwarded-For / X-Real-IP headers
|
||||
# When enabled, whitelist will also verify IP in headers enabled in `forwardedHeaders` section.
|
||||
enableForwardedWhitelist: true
|
||||
# Whitelist of allowed IP addresses
|
||||
whitelist:
|
||||
@@ -189,9 +189,24 @@ logging:
|
||||
minLogLevel: 0
|
||||
# -- RATE LIMITING CONFIGURATION --
|
||||
rateLimiting:
|
||||
# Use X-Real-IP header instead of socket IP for rate limiting
|
||||
# Only enable this if you are using a properly configured reverse proxy (like Nginx/traefik/Caddy)
|
||||
# Use any of the enabled headers in the `forwardedHeaders` section to identify the client IP for rate limiting.
|
||||
# If disabled, only the socket IP will be used, which may not work correctly if you are behind a reverse proxy.
|
||||
preferRealIpHeader: false
|
||||
# Set the maximum number of allowed failed basic authentication attempts before rate limiting is applied. Set to 0 to disable rate limiting for basic auth.
|
||||
basicAuthMaxAttempts: 5
|
||||
# Set the maximum number of allowed failed account login attempts before rate limiting is applied. Set to 0 to disable rate limiting for account logins.
|
||||
accountsLoginMaxAttempts: 5
|
||||
# Set the maximum number of allowed failed account recovery attempts before rate limiting is applied. Set to 0 to disable rate limiting for account recovery.
|
||||
accountsRecoverMaxAttempts: 5
|
||||
# Set to true to enable support for real IPs in certain request headers for features like IP whitelisting, rate limiting and access logging.
|
||||
# Only change if you are sure that you use a correctly configured reverse proxy, otherwise this may lead to IP spoofing.
|
||||
forwardedHeaders:
|
||||
# X-Real-IP header (common with Nginx and Caddy)
|
||||
xRealIp: true
|
||||
# X-Forwarded-For header (common with many proxies, but may contain multiple IPs - only the first one will be used)
|
||||
xForwardedFor: true
|
||||
# CF-Connecting-IP header (used by Cloudflare Tunnels)
|
||||
cfConnectingIp: false
|
||||
|
||||
## BACKUP CONFIGURATION
|
||||
backups:
|
||||
|
||||
Reference in New Issue
Block a user