Mike Swanson
e3e95f8fa7
Some checks failed
Build and Test / Build Server (Linux) (push) Has been cancelled
Build and Test / Build Agent (Windows) (push) Has been cancelled
Build and Test / Security Audit (push) Has been cancelled
Build and Test / Build Summary (push) Has been cancelled
Run Tests / Test Server (push) Has been cancelled
Run Tests / Test Agent (push) Has been cancelled
Run Tests / Code Coverage (push) Has been cancelled
Run Tests / Lint and Format Check (push) Has been cancelled
Brings azcomputerguru/guru-connect up to the authoritative working copy that had been maintained in the claudetools monorepo: Phase 1 security and infrastructure (middleware, metrics, utils, token blacklist, deployment scripts, security audits) plus the native-remote-control integration spec. Preserves the repo .gitignore, .cargo, and server/static/downloads. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
75 lines
2.5 KiB
Markdown
75 lines
2.5 KiB
Markdown
# SEC-2: Rate Limiting - Implementation Notes
|
|
|
|
**Status:** Partially Implemented - Needs Type Resolution
|
|
**Priority:** HIGH
|
|
**Blocker:** Compilation errors with tower_governor type signatures
|
|
|
|
## What Was Done
|
|
|
|
1. Added tower_governor dependency to Cargo.toml
|
|
2. Created middleware/rate_limit.rs module
|
|
3. Defined three rate limiters:
|
|
- `auth_rate_limiter()` - 5 requests/minute for login
|
|
- `support_code_rate_limiter()` - 10 requests/minute for code validation
|
|
- `api_rate_limiter()` - 60 requests/minute for general API
|
|
4. Applied rate limiting to routes in main.rs:
|
|
- `/api/auth/login`
|
|
- `/api/auth/change-password`
|
|
- `/api/codes/:code/validate`
|
|
|
|
## Current Blocker
|
|
|
|
Tower_governor GovernorLayer requires 2 generic type parameters, but the exact types are complex:
|
|
- Key extractor: SmartIpKeyExtractor
|
|
- Rate limiter method: (type unclear from docs)
|
|
|
|
## Attempted Solutions
|
|
|
|
1. Used default types - Failed (DefaultDirectRateLimiter doesn't exist)
|
|
2. Used impl Trait - Too complex, nested trait bounds
|
|
3. Added "axum" feature to tower_governor - Still type errors
|
|
|
|
## Next Steps to Complete
|
|
|
|
1. Research tower_governor v0.4 examples for Axum 0.7
|
|
2. OR: Use simpler alternative like tower-http RequestBodyLimitLayer
|
|
3. OR: Implement custom rate limiting with Redis/in-memory cache
|
|
4. Test with actual HTTP requests (curl, Postman)
|
|
5. Add rate limit headers (X-RateLimit-Remaining, X-RateLimit-Reset)
|
|
|
|
## Recommended Approach
|
|
|
|
**Option A: Fix tower_governor types** (1-2 hours)
|
|
- Find working example for tower_governor + Axum 0.7
|
|
- Copy exact type signatures
|
|
- Test compilation
|
|
|
|
**Option B: Switch to custom middleware** (2-3 hours)
|
|
- Use in-memory HashMap<IP, (count, last_reset)>
|
|
- Implement middleware manually
|
|
- More control, simpler types
|
|
|
|
**Option C: Use Redis for rate limiting** (3-4 hours)
|
|
- Add redis dependency
|
|
- Implement with atomic INCR + EXPIRE
|
|
- Production-grade, distributed-ready
|
|
|
|
## Temporary Mitigation
|
|
|
|
Until rate limiting is fully operational:
|
|
- Monitor auth endpoint logs for brute force attempts
|
|
- Consider firewall-level rate limiting (fail2ban, NPM)
|
|
- Enable account lockout after N failed attempts (add to user table)
|
|
|
|
## Files Modified
|
|
|
|
- `server/Cargo.toml` - Added tower_governor dependency
|
|
- `server/src/middleware/rate_limit.rs` - Rate limiter definitions (NOT compiling)
|
|
- `server/src/middleware/mod.rs` - Module exports
|
|
- `server/src/main.rs` - Applied rate limiting to routes (commented out for now)
|
|
|
|
---
|
|
|
|
**Created:** 2026-01-17
|
|
**Next Action:** Move to SEC-3 (SQL Injection) - Higher priority
|