feat: rate-limit /auth/login, /register, /me/password (0.35.0)

A hand-rolled token-bucket limiter (5 req/sec, 10-request burst by default; AUTH_RATE_PER_SEC/AUTH_RATE_BURST env knobs) gates the three auth-mutation endpoints. One bucket per AppState so tests stay isolated. Tower-governor wasn't wired in because the reverse proxy doesn't yet forward client IPs — a global bucket gives equivalent brute-force protection until that lands. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-28 07:56:06 +02:00
parent e7662d18d6
commit 699c1d0d69
12 changed files with 382 additions and 4 deletions
--- a/backend/tests/common/mod.rs
+++ b/backend/tests/common/mod.rs
@@ -15,6 +15,7 @@ use tempfile::TempDir;
 use tower::ServiceExt;

 use mangalord::app::{router, AppState};
+use mangalord::auth::rate_limit::AuthRateLimiter;
 use mangalord::config::{AuthConfig, UploadConfig};
 use mangalord::storage::{LocalStorage, Storage, StorageError, StreamingFile};

@@ -49,20 +50,51 @@ fn harness_inner(
    storage: Arc<dyn Storage>,
    storage_dir: TempDir,
 ) -> Harness {
+    harness_with_auth_config(pool, storage, storage_dir, AuthConfig {
+        cookie_secure: false,
+        ..AuthConfig::default()
+    })
+}
+
+fn harness_with_auth_config(
+    pool: PgPool,
+    storage: Arc<dyn Storage>,
+    storage_dir: TempDir,
+    auth: AuthConfig,
+) -> Harness {
+    let auth_limiter = Arc::new(AuthRateLimiter::new(auth.rate_limit));
    let state = AppState {
        db: pool,
        storage,
-        auth: AuthConfig { cookie_secure: false, ..AuthConfig::default() },
+        auth,
        upload: UploadConfig {
            // Keep file caps small in tests so the size-cap path is cheap to
            // exercise without producing tens of MBs of bytes.
            max_request_bytes: 4 * 1024 * 1024,
            max_file_bytes: 256 * 1024,
        },
+        auth_limiter,
    };
    Harness { app: router(state), _storage_dir: storage_dir }
 }

+/// Like [`harness`] but configures a tight auth rate limit. Used by
+/// the brute-force-rate-limiting test.
+pub fn harness_with_auth_rate_limit(
+    pool: PgPool,
+    per_sec: u32,
+    burst: u32,
+) -> Harness {
+    let storage_dir = tempfile::tempdir().expect("tempdir");
+    let storage = Arc::new(LocalStorage::new(storage_dir.path()));
+    let auth = AuthConfig {
+        cookie_secure: false,
+        rate_limit: mangalord::auth::rate_limit::RateLimitConfig { per_sec, burst },
+        ..AuthConfig::default()
+    };
+    harness_with_auth_config(pool, storage, storage_dir, auth)
+}
+
 /// Wraps a real `Storage` and fails on the N-th `put` call so tests can
 /// assert that handlers roll their DB writes back when storage errors
 /// mid-upload. Reads and other operations delegate to `inner`.