Implement authentication rate limit, fixes #116

7 years ago · 19fe73b388
parent 716e166b11
commit 19fe73b388
5 changed files with 17 additions and 1 deletions
--- a/.env.dist
+++ b/.env.dist
@ -33,6 +33,9 @@ POSTMASTER=admin
 # Choose how secure connections will behave (value: letsencrypt, cert, notls)
 TLS_FLAVOR=cert

+# Authentication rate limit (per source IP address)
+AUTH_RATELIMIT=10/minute;1000/hour
+
 ###################################
 # Optional features
 ###################################
--- a/admin/mailu/init.py
+++ b/admin/mailu/init.py
@ -5,6 +5,7 @@ import flask_login
 import flask_script
 import flask_migrate
 import flask_babel
+import flask_limiter

 import os
 import docker
@ -35,6 +36,8 @@ default_config = {
    'CERTS_PATH': '/certs',
    'PASSWORD_SCHEME': 'SHA512-CRYPT',
    'WEBMAIL': 'none',
+    'AUTH_RATELIMIT': '10/minute;1000/hour',
+    'RATELIMIT_STORAGE_URL': 'redis://redis'
 }

 # Load configuration from the environment if available
@ -45,6 +48,7 @@ for key, value in default_config.items():
 flask_bootstrap.Bootstrap(app)
 db = flask_sqlalchemy.SQLAlchemy(app)
 migrate = flask_migrate.Migrate(app, db)
+limiter = flask_limiter.Limiter(app, key_func=lambda: current_user.username)

 # Debugging toolbar
 if app.config.get("DEBUG"):
--- a/admin/mailu/internal/views.py
+++ b/admin/mailu/internal/views.py
@ -1,10 +1,14 @@
-from mailu import db, models
+from mailu import db, models, app, limiter
 from mailu.internal import internal, nginx

 import flask


@internal.route("/auth/email")
+@limiter.limit(
+    app.config["AUTH_RATELIMIT"],
+    lambda: flask.request.headers["Client-Ip"]
+)
 def nginx_authentication():
    """ Main authentication endpoint for Nginx email server
    """
--- a/admin/requirements-prod.txt
+++ b/admin/requirements-prod.txt
@ -15,6 +15,7 @@ Flask==0.12.2
 Flask-Babel==0.11.2
 Flask-Bootstrap==3.3.7.1
 Flask-DebugToolbar==0.10.1
+Flask-Limiter==0.9.5.1
 Flask-Login==0.4.0
 Flask-Migrate==2.1.1
 Flask-Script==2.0.6
@ -26,6 +27,7 @@ infinity==1.4
 intervals==0.8.0
 itsdangerous==0.24
 Jinja2==2.9.6
+limits==1.2.1
 Mako==1.0.7
 MarkupSafe==1.0
 passlib==1.7.1
@ -35,6 +37,7 @@ python-dateutil==2.6.1
 python-editor==1.0.3
 pytz==2017.2
 PyYAML==3.12
+redis==2.10.6
 requests==2.18.4
 six==1.11.0
 SQLAlchemy==1.1.14
--- a/admin/requirements.txt
+++ b/admin/requirements.txt
@ -7,6 +7,8 @@ Flask-migrate
 Flask-script
 Flask-wtf
 Flask-debugtoolbar
+Flask-limiter
+redis
 WTForms-Components
 passlib
 gunicorn