Refactor rate limiting with exponential backoff strategy
- Update rate limiter to use exponential backoff instead of fixed limit - Implement progressive delays for failed login attempts (0.5s, 1s, 2s, 4s, 5s max) - Update auth router documentation and endpoint docs - Refactor test suite to match new rate limiting behavior - Update backend development documentation - Clean up unused tasks documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
@@ -12,15 +12,14 @@ For programmatic API clients (non-browser), use ``POST /api/auth/token``
|
||||
which returns a token in the response body for use in the ``Authorization``
|
||||
header. This endpoint does not set a cookie.
|
||||
|
||||
Login attempts are rate-limited to 5 per minute per IP address to prevent
|
||||
brute-force attacks. Requests exceeding the limit return ``429 Too Many Requests``
|
||||
with a ``Retry-After`` header.
|
||||
Rate limiting uses exponential backoff: each wrong password attempt incurs
|
||||
a progressive delay (0.5s, 1s, 2s, 4s, 5s max) per IP address. Requests
|
||||
blocked by this delay return ``429 Too Many Requests`` with a ``Retry-After``
|
||||
header.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import asyncio
|
||||
|
||||
import structlog
|
||||
from fastapi import APIRouter, Request, Response
|
||||
|
||||
@@ -60,8 +59,9 @@ async def login(
|
||||
On success the token is also set as an ``HttpOnly`` ``SameSite=Lax``
|
||||
cookie so the browser SPA benefits from automatic credential handling.
|
||||
|
||||
Rate limiting: Up to 5 login attempts per minute per client IP.
|
||||
Requests exceeding this limit return ``429 Too Many Requests`` with
|
||||
Rate limiting: Exponential backoff on failed attempts. Each wrong password
|
||||
incurs an increasing delay (0.5s, 1s, 2s, 4s, 5s max per IP address).
|
||||
Requests during the penalty period return ``429 Too Many Requests`` with
|
||||
a ``Retry-After`` header.
|
||||
|
||||
Args:
|
||||
@@ -81,6 +81,7 @@ async def login(
|
||||
"""
|
||||
client_ip = get_client_ip(request, trusted_proxies=settings.trusted_proxies)
|
||||
|
||||
# Check if this IP is currently blocked by exponential backoff
|
||||
if not rate_limiter.is_allowed(client_ip):
|
||||
log.warning("login_rate_limit_exceeded", client_ip=client_ip)
|
||||
raise RateLimitError("Too many login attempts. Please try again later.")
|
||||
@@ -94,16 +95,9 @@ async def login(
|
||||
session_repo=session_ctx.session_repo,
|
||||
)
|
||||
except ValueError as exc:
|
||||
# Progressive penalty delay on wrong password to slow down brute-force
|
||||
# attacks without exhausting request capacity (app-layer DoS resistance).
|
||||
penalty = rate_limiter.record_failure(client_ip)
|
||||
acquired = rate_limiter.acquire(client_ip)
|
||||
try:
|
||||
if acquired:
|
||||
await asyncio.sleep(penalty)
|
||||
finally:
|
||||
rate_limiter.release(client_ip)
|
||||
log.warning("login_failed", client_ip=client_ip, error=str(exc), penalty=penalty)
|
||||
# Record this failure to increment the exponential backoff counter
|
||||
rate_limiter.record_failure(client_ip)
|
||||
log.warning("login_failed", client_ip=client_ip, error=str(exc))
|
||||
raise AuthenticationError(str(exc)) from exc
|
||||
|
||||
response.set_cookie(
|
||||
|
||||
Reference in New Issue
Block a user