diff options
author | Corey Hulen <corey@hulen.com> | 2015-08-02 09:17:37 -0800 |
---|---|---|
committer | Corey Hulen <corey@hulen.com> | 2015-08-02 09:17:37 -0800 |
commit | 4d1562c5de377741734a0ad4e8eb30a83d301262 (patch) | |
tree | 74d1d7821b3863231c2d9429b6ccb48728661b30 /api | |
parent | adc8def9e06a7908d5f092088922dc26cbb277df (diff) | |
parent | d93bf60248f066542d0851a7b6847f925975d77f (diff) | |
download | chat-4d1562c5de377741734a0ad4e8eb30a83d301262.tar.gz chat-4d1562c5de377741734a0ad4e8eb30a83d301262.tar.bz2 chat-4d1562c5de377741734a0ad4e8eb30a83d301262.zip |
Merge pull request #273 from mattermost/mm-1355
Fixes mm-1355 adds rate limiting apis
Diffstat (limited to 'api')
-rw-r--r-- | api/server.go | 37 | ||||
-rw-r--r-- | api/user.go | 21 |
2 files changed, 55 insertions, 3 deletions
diff --git a/api/server.go b/api/server.go index 3163f79f5..3273e766c 100644 --- a/api/server.go +++ b/api/server.go @@ -9,7 +9,10 @@ import ( "github.com/gorilla/mux" "github.com/mattermost/platform/store" "github.com/mattermost/platform/utils" + "github.com/throttled/throttled" + throttledStore "github.com/throttled/throttled/store" "net/http" + "strings" "time" ) @@ -35,10 +38,40 @@ func NewServer() { func StartServer() { l4g.Info("Starting Server...") - l4g.Info("Server is listening on " + utils.Cfg.ServiceSettings.Port) + + var handler http.Handler = Srv.Router + + if utils.Cfg.RateLimitSettings.UseRateLimiter { + l4g.Info("RateLimiter is enabled") + + vary := throttled.VaryBy{} + + if utils.Cfg.RateLimitSettings.VaryByRemoteAddr { + vary.RemoteAddr = true + } + + if len(utils.Cfg.RateLimitSettings.VaryByHeader) > 0 { + vary.Headers = strings.Fields(utils.Cfg.RateLimitSettings.VaryByHeader) + + if utils.Cfg.RateLimitSettings.VaryByRemoteAddr { + l4g.Warn("RateLimitSettings not configured properly using VaryByHeader and disabling VaryByRemoteAddr") + vary.RemoteAddr = false + } + } + + th := throttled.RateLimit(throttled.PerSec(utils.Cfg.RateLimitSettings.PerSec), &vary, throttledStore.NewMemStore(utils.Cfg.RateLimitSettings.MemoryStoreSize)) + + th.DeniedHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + l4g.Error("%v: code=429 ip=%v", r.URL.Path, GetIpAddress(r)) + throttled.DefaultDeniedHandler.ServeHTTP(w, r) + }) + + handler = th.Throttle(Srv.Router) + } + go func() { - err := Srv.Server.ListenAndServe(":"+utils.Cfg.ServiceSettings.Port, Srv.Router) + err := Srv.Server.ListenAndServe(":"+utils.Cfg.ServiceSettings.Port, handler) if err != nil { l4g.Critical("Error starting server, err:%v", err) time.Sleep(time.Second) diff --git a/api/user.go b/api/user.go index 54337e207..a42f81cf1 100644 --- a/api/user.go +++ b/api/user.go @@ -284,13 +284,32 @@ func LoginByEmail(c *Context, w http.ResponseWriter, r *http.Request, email, nam } func checkUserPassword(c *Context, user *model.User, password string) bool { + + if user.FailedAttempts >= utils.Cfg.ServiceSettings.AllowedLoginAttempts { + c.LogAuditWithUserId(user.Id, "fail") + c.Err = model.NewAppError("checkUserPassword", "Your account is locked because of too many failed password attempts. Please reset your password.", "user_id="+user.Id) + c.Err.StatusCode = http.StatusForbidden + return false + } + if !model.ComparePassword(user.Password, password) { c.LogAuditWithUserId(user.Id, "fail") c.Err = model.NewAppError("checkUserPassword", "Login failed because of invalid password", "user_id="+user.Id) c.Err.StatusCode = http.StatusForbidden + + if result := <-Srv.Store.User().UpdateFailedPasswordAttempts(user.Id, user.FailedAttempts+1); result.Err != nil { + c.LogError(result.Err) + } + return false + } else { + if result := <-Srv.Store.User().UpdateFailedPasswordAttempts(user.Id, 0); result.Err != nil { + c.LogError(result.Err) + } + + return true } - return true + } // User MUST be validated before calling Login |