feat: harden auth, shutdown, and session bundle (0.35.0)
Three features bundled into one release: - rate-limit /auth/login, /register, /me/password (token bucket, 5 req/sec sustained with 10-request burst by default; 429 + Retry-After header on hit; tracing::warn! per hit so operators see attack patterns; AUTH_RATE_PER_SEC / AUTH_RATE_BURST env knobs) - handle SIGTERM for graceful container stops (replaces bare ctrl_c() with a select over ctrl_c + SignalKind::terminate() so docker compose stop runs the daemon shutdown path instead of letting Chromium leak past SIGKILL) - clear session.user on 401 from any API call (setOn401Hook in api/client.ts, registered from session.svelte.ts gated on $app/environment::browser so the SSR bundle never installs it; fixes "logged in but no bookmarks/collections" mid-session expiry state) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
MechaCat02
@@ -652,6 +652,81 @@ async fn login_no_user_branch_runs_argon2_for_timing_equalisation(pool: PgPool)
|
||||
);
|
||||
}
|
||||
|
||||
/// Brute-force / spray protection: at default production limits, a
|
||||
/// tight loop of /auth/login attempts should burst through the bucket
|
||||
/// and then 429 every subsequent request until the bucket refills.
|
||||
#[sqlx::test(migrations = "./migrations")]
|
||||
async fn login_rate_limited_under_burst_pressure(pool: PgPool) {
|
||||
let h = common::harness_with_auth_rate_limit(pool, 1, 3);
|
||||
|
||||
// Register a victim so the wrong-password branch is real work.
|
||||
let _ = h
|
||||
.app
|
||||
.clone()
|
||||
.oneshot(common::post_json("/api/v1/auth/register", creds("victim")))
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
// Register consumed one token from the burst-3 bucket. Fire 30
|
||||
// wrong-password logins back-to-back; with per_sec=1 the refill
|
||||
// is too slow to keep up and at least one must come back 429.
|
||||
let mut saw_429 = false;
|
||||
for _ in 0..30 {
|
||||
let resp = h
|
||||
.app
|
||||
.clone()
|
||||
.oneshot(common::post_json(
|
||||
"/api/v1/auth/login",
|
||||
json!({ "username": "victim", "password": "wrong" }),
|
||||
))
|
||||
.await
|
||||
.unwrap();
|
||||
if resp.status() == StatusCode::TOO_MANY_REQUESTS {
|
||||
// RFC 6585 §4: 429 SHOULD include a Retry-After header. The
|
||||
// value is in seconds; with per_sec=1 the bucket needs ~1s
|
||||
// to refill, so the header should be 1 or 2.
|
||||
let retry_after = resp
|
||||
.headers()
|
||||
.get(axum::http::header::RETRY_AFTER)
|
||||
.and_then(|v| v.to_str().ok())
|
||||
.and_then(|s| s.parse::<u32>().ok())
|
||||
.expect("Retry-After header present and numeric");
|
||||
assert!(
|
||||
retry_after >= 1,
|
||||
"Retry-After must be at least 1s, got {retry_after}"
|
||||
);
|
||||
let body = common::body_json(resp).await;
|
||||
assert_eq!(body["error"]["code"], "too_many_requests");
|
||||
saw_429 = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
assert!(
|
||||
saw_429,
|
||||
"expected at least one 429 within 30 rapid login attempts"
|
||||
);
|
||||
}
|
||||
|
||||
/// Default (test-harness) limits are disabled, so existing tests that
|
||||
/// fire multiple auth requests don't start failing.
|
||||
#[sqlx::test(migrations = "./migrations")]
|
||||
async fn default_test_harness_does_not_rate_limit(pool: PgPool) {
|
||||
let h = common::harness(pool);
|
||||
for i in 0..50 {
|
||||
let resp = h
|
||||
.app
|
||||
.clone()
|
||||
.oneshot(common::post_json(
|
||||
"/api/v1/auth/login",
|
||||
json!({ "username": format!("nobody-{i}"), "password": "x" }),
|
||||
))
|
||||
.await
|
||||
.unwrap();
|
||||
// None of these should be 429 — only 401.
|
||||
assert_eq!(resp.status(), StatusCode::UNAUTHORIZED, "iter {i}");
|
||||
}
|
||||
}
|
||||
|
||||
#[sqlx::test(migrations = "./migrations")]
|
||||
async fn delete_unknown_token_is_404(pool: PgPool) {
|
||||
let h = common::harness(pool);
|
||||
|
||||
Reference in New Issue
Block a user