Feat basic rate limiting

README.md

@@ -51,28 +51,28 @@ If you want to use the Hanko backend API but prefer to build your own UI, you ca
 We are currently in **Beta** and may still have critical bugs. Watch our releases, leave a star, join our [Slack community](https://www.hanko.io/community), or sign up to our [product news](https://www.hanko.io/updates) to follow the development. Here's a brief overview of the current roadmap:
 
 | Status | Feature |
-| :---: | :--- |
-| ✅ | Passkeys |
-| ✅ | Email passcodes |
-| ✅ | Passwords |
-| ✅ | JWT signing |
-| ✅ | User management API |
-| ✅ | 📢 Hanko Alpha Release |
-| ✅ | `<hanko-auth>` web component |
-| ✅ | Customizable CSS |
-| ✅ | 📢 Hanko Beta Release |
-| ✅ | JavaScript frontend SDK |
-| ✅ | Passkey autofill ([Conditional UI](https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Conditional-UI)) |
-| ✅ | Audit logs API |
-| ✅ | Security Key support |
-| ✅ | Mobile app support |
-| ⚙️ | `<hanko-profile>` web component |
-| ⚙️ | Priviledged sessions & step-up authentication |
-| ⚙️ | OAuth plugin system (Sign in with Google/Apple/GitHub/...) |
-| | Rate limiting (application level) |
-| | Session management |
-| | Custom translations for [hanko-elements](/frontend/elements/README.md) |
-| | Email templating |
+|:------:| :--- |
+|  ✅  | Passkeys |
+|  ✅  | Email passcodes |
+|  ✅  | Passwords |
+|  ✅  | JWT signing |
+|  ✅  | User management API |
+|  ✅  | 📢 Hanko Alpha Release |
+|  ✅  | `<hanko-auth>` web component |
+|  ✅  | Customizable CSS |
+|  ✅  | 📢 Hanko Beta Release |
+|  ✅  | JavaScript frontend SDK |
+|  ✅  | Passkey autofill ([Conditional UI](https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Conditional-UI)) |
+|  ✅  | Audit logs API |
+|  ✅  | Security Key support |
+|  ✅  | Mobile app support |
+|  ✅  | `<hanko-profile>` web component |
+|  ✅ | Rate limiting (application level) |
+|  ⚙️  | Priviledged sessions & step-up authentication |
+|  ⚙️ | OAuth plugin system (Sign in with Google/Apple/GitHub/...) |
+|  | Session management |
+|  | Custom translations for [hanko-elements](/frontend/elements/README.md) |
+|  | Email templating |
 
 Additional features that have been requested or that we would like to build but are not (yet) on the roadmap:
 - SMS passcode delivery

backend/Dockerfile

@@ -21,6 +21,7 @@ COPY session session/
 COPY mail mail/
 COPY audit_log audit_log/
 COPY pagination pagination/
+COPY rate_limiter rate_limiter/
 
 # Build
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -a -o hanko main.go

backend/Dockerfile.debug

@@ -22,6 +22,7 @@ COPY session session/
 COPY mail mail/
 COPY audit_log audit_log/
 COPY pagination pagination/
+COPY rate_limiter rate_limiter/
 
 # Build
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -gcflags="all=-N -l" -a -o hanko main.go

backend/README.md

@@ -389,8 +389,11 @@ To persist audit logs in the database, set `audit_log.storage.enabled` to `true`
 
 ### Rate Limiting
 
-Currently, Hanko backend does not implement rate limiting in any way. In production systems, you may want to hide the
-Hanko service behind a proxy or gateway (e.g. Kong, Traefik) that provides rate limiting.
+Hanko implements basic fixed-window rate limiting for the passcode/init and password/login endpoints to mitigate brute-force attacks.
+It uses a combination of user-id/IP to mitigate DoS attacks on user accounts. You can choose between an in-memory and a redis store.
+
+In production systems, you may want to hide the
+Hanko service behind a proxy or gateway (e.g. Kong, Traefik) to provide additional network-based rate limiting.
 
 ## API specification
 

backend/config/config.go

@@ -7,23 +7,25 @@ import (
  "github.com/knadh/koanf/parsers/yaml"
  "github.com/knadh/koanf/providers/env"
  "github.com/knadh/koanf/providers/file"
+ "github.com/sethvargo/go-limiter/httplimit"
  "log"
  "strings"
  "time"
 )
 
 // Config is the central configuration type
 type Config struct {
- Server Server `yaml:"server" json:"server" koanf:"server"`
- Webauthn WebauthnSettings `yaml:"webauthn" json:"webauthn" koanf:"webauthn"`
- Passcode Passcode `yaml:"passcode" json:"passcode" koanf:"passcode"`
- Password Password `yaml:"password" json:"password" koanf:"password"`
- Database Database `yaml:"database" json:"database" koanf:"database"`
- Secrets Secrets `yaml:"secrets" json:"secrets" koanf:"secrets"`
- Service Service `yaml:"service" json:"service" koanf:"service"`
- Session Session `yaml:"session" json:"session" koanf:"session"`
- AuditLog AuditLog `yaml:"audit_log" json:"audit_log" koanf:"audit_log"`
- Emails Emails `yaml:"emails" json:"emails" koanf:"emails"`
+ Server Server `yaml:"server" json:"server" koanf:"server"`
+ Webauthn WebauthnSettings `yaml:"webauthn" json:"webauthn" koanf:"webauthn"`
+ Passcode Passcode `yaml:"passcode" json:"passcode" koanf:"passcode"`
+ Password Password `yaml:"password" json:"password" koanf:"password"`
+ Database Database `yaml:"database" json:"database" koanf:"database"`
+ Secrets Secrets `yaml:"secrets" json:"secrets" koanf:"secrets"`
+ Service Service `yaml:"service" json:"service" koanf:"service"`
+ Session Session `yaml:"session" json:"session" koanf:"session"`
+ AuditLog AuditLog `yaml:"audit_log" json:"audit_log" koanf:"audit_log"`
+ Emails Emails `yaml:"emails" json:"emails" koanf:"emails"`
+ RateLimiter RateLimiter `yaml:"rate_limiter" json:"rate_limiter" koanf:"rate_limiter"`
 }
 
 func Load(cfgFile *string) (*Config, error) {
@@ -59,6 +61,14 @@ func DefaultConfig() *Config {
  Server: Server{
  Public: ServerSettings{
  Address: ":8000",
+ Cors: Cors{
+ ExposeHeaders: []string{
+ httplimit.HeaderRateLimitLimit,
+ httplimit.HeaderRateLimitRemaining,
+ httplimit.HeaderRateLimitReset,
+ httplimit.HeaderRetryAfter,
+ },
+ },
  },
  Admin: ServerSettings{
  Address: ":8001",
@@ -68,7 +78,7 @@ func DefaultConfig() *Config {
  RelyingParty: RelyingParty{
  Id: "localhost",
  DisplayName: "Hanko Authentication Service",
- Origin:  "http:https://localhost",
+ Origins: []string{"http:https://localhost"},
  },
  Timeout: 60000,
  },
@@ -77,6 +87,10 @@ func DefaultConfig() *Config {
  Port: "465",
  },
  TTL: 300,
+ Email: Email{
+ FromAddress: "[email protected]",
+ FromName: "Hanko",
+ },
  },
  Password: Password{
  MinPasswordLength: 8,
@@ -102,6 +116,18 @@ func DefaultConfig() *Config {
  RequireVerification: true,
  MaxNumOfAddresses: 5,
  },
+ RateLimiter: RateLimiter{
+ Enabled: true,
+ Store: RATE_LIMITER_STORE_IN_MEMORY,
+ PasswordLimits: RateLimits{
+ Tokens: 5,
+ Interval: 1 * time.Minute,
+ },
+ PasscodeLimits: RateLimits{
+ Tokens: 3,
+ Interval: 1 * time.Minute,
+ },
+ },
  }
 }
 
@@ -134,6 +160,10 @@ func (c *Config) Validate() error {
  if err != nil {
  return fmt.Errorf("failed to validate session settings: %w", err)
  }
+ err = c.RateLimiter.Validate()
+ if err != nil {
+ return fmt.Errorf("failed to validate rate-limiter settings: %w", err)
+ }
  return nil
 }
 
@@ -364,3 +394,48 @@ var (
  OutputStreamStdOut OutputStream = "stdout"
  OutputStreamStdErr OutputStream = "stderr"
 )
+
+type RateLimiter struct {
+ Enabled bool `yaml:"enabled" json:"enabled" koanf:"enabled"`
+ Store RateLimiterStoreType `yaml:"store" json:"store" koanf:"store"`
+ Redis *RedisConfig `yaml:"redis_config" json:"redis_config" koanf:"redis_config"`
+ PasscodeLimits RateLimits `yaml:"passcode_limits" json:"passcode_limits" koanf:"passcode_limits"`
+ PasswordLimits RateLimits `yaml:"password_limits" json:"password_limits" koanf:"password_limits"`
+}
+
+type RateLimits struct {
+ Tokens uint64 `yaml:"tokens" json:"tokens" koanf:"tokens"`
+ Interval time.Duration `yaml:"interval" json:"interval" koanf:"interval"`
+}
+
+type RateLimiterStoreType string
+
+const (
+ RATE_LIMITER_STORE_IN_MEMORY RateLimiterStoreType = "in_memory"
+ RATE_LIMITER_STORE_REDIS = "redis"
+)
+
+func (r *RateLimiter) Validate() error {
+ if r.Enabled {
+ switch r.Store {
+ case RATE_LIMITER_STORE_REDIS:
+ if r.Redis == nil {
+ return errors.New("when enabling the redis store you have to specify the redis config")
+ }
+ if r.Redis.Address == "" {
+ return errors.New("when enabling the redis store you have to specify the address where hanko can reach the redis instance")
+ }
+ case RATE_LIMITER_STORE_IN_MEMORY:
+ break
+ default:
+ return errors.New(string(r.Store) + " is not a valid rate limiter store.")
+ }
+ }
+ return nil
+}
+
+type RedisConfig struct {
+ //Address of redis in the form of host[:port][/database]
+ Address string `yaml:"address" json:"address" koanf:"address"`
+ Password string `yaml:"password" json:"password" koanf:"password"`
+}

backend/config/config_test.go

@@ -0,0 +1,66 @@
+package config
+
+import (
+ "testing"
+)
+
+func TestDefaultConfigNotEnoughForValidation(t *testing.T) {
+ cfg := DefaultConfig()
+ if err := cfg.Validate(); err == nil {
+ t.Error("The default config is missing mandatory parameters. This should not validate without error.")
+ }
+}
+
+func TestParseValidConfig(t *testing.T) {
+ configPath := "./config.yaml"
+ cfg, err := Load(&configPath)
+ if err != nil {
+ t.Error(err)
+ }
+ if err := cfg.Validate(); err != nil {
+ t.Error(err)
+ }
+}
+
+func TestMinimalConfigValidates(t *testing.T) {
+ configPath := "./minimal-config.yaml"
+ cfg, err := Load(&configPath)
+ if err != nil {
+ t.Error(err)
+ }
+ if err := cfg.Validate(); err != nil {
+ t.Error(err)
+ }
+}
+
+func TestRateLimiterConfig(t *testing.T) {
+ configPath := "./minimal-config.yaml"
+ cfg, err := Load(&configPath)
+
+ if err != nil {
+ t.Error(err)
+ }
+ cfg.RateLimiter.Enabled = true
+ cfg.RateLimiter.Store = "in_memory"
+
+ if err := cfg.Validate(); err != nil {
+ t.Error(err)
+ }
+
+ cfg.RateLimiter.Store = "redis"
+ if err := cfg.Validate(); err == nil {
+ t.Error("when specifying redis, the redis config should also be specified")
+ }
+ cfg.RateLimiter.Redis = &RedisConfig{
+ Address: "127.0.0.1:9876",
+ Password: "password",
+ }
+ if err := cfg.Validate(); err != nil {
+ t.Error(err)
+ }
+
+ cfg.RateLimiter.Store = "notvalid"
+ if err := cfg.Validate(); err == nil {
+ t.Error("notvalid is not a valid backend")
+ }
+}

backend/config/minimal-config.yaml

@@ -0,0 +1,12 @@
+passcode:
+ smtp:
+ host: smtp.example.com
+ user: example
+ password: example
+database:
+ url: postgres:https://postgres:[email protected]:5432/dummy
+secrets:
+ keys:
+ - abcedfghijklmnopqrstuvwxyz
+service:
+ name: Hanko Authentication Service