feat(gateway): add auth rate-limiting & brute-force protection (#15035)

* feat(gateway): add auth rate-limiting & brute-force protection Add a per-IP sliding-window rate limiter to Gateway authentication endpoints (HTTP, WebSocket upgrade, and WS message-level auth). When gateway.auth.rateLimit is configured, failed auth attempts are tracked per client IP. Once the threshold is exceeded within the sliding window, further attempts are blocked with HTTP 429 + Retry-After until the lockout period expires. Loopback addresses are exempt by default so local CLI sessions are never locked out. The limiter is only created when explicitly configured (undefined otherwise), keeping the feature fully opt-in and backward-compatible. * fix(gateway): isolate auth rate-limit scopes and normalize 429 responses --------- Co-authored-by: buerbaumer <buerbaumer@users.noreply.github.com> Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-05-08 15:28:27 +00:00 · 2026-02-13 15:32:38 +01:00
parent 9131b22a28
commit 30b6eccae5
24 changed files with 1063 additions and 42 deletions
--- a/src/gateway/auth.ts
+++ b/src/gateway/auth.ts
@@ -2,12 +2,18 @@ import type { IncomingMessage } from "node:http";
 import type { GatewayAuthConfig, GatewayTailscaleMode } from "../config/config.js";
 import { readTailscaleWhoisIdentity, type TailscaleWhoisIdentity } from "../infra/tailscale.js";
 import { safeEqualSecret } from "../security/secret-equal.js";
+import {
+  AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET,
+  type AuthRateLimiter,
+  type RateLimitCheckResult,
+} from "./auth-rate-limit.js";
 import {
  isLoopbackAddress,
  isTrustedProxyAddress,
  parseForwardedForClientIp,
  resolveGatewayClientIp,
 } from "./net.js";
+
 export type ResolvedGatewayAuthMode = "token" | "password";

 export type ResolvedGatewayAuth = {
@@ -22,6 +28,10 @@ export type GatewayAuthResult = {
  method?: "token" | "password" | "tailscale" | "device-token";
  user?: string;
  reason?: string;
+  /** Present when the request was blocked by the rate limiter. */
+  rateLimited?: boolean;
+  /** Milliseconds the client should wait before retrying (when rate-limited). */
+  retryAfterMs?: number;
 };

 type ConnectAuth = {
@@ -220,17 +230,42 @@ export async function authorizeGatewayConnect(params: {
  req?: IncomingMessage;
  trustedProxies?: string[];
  tailscaleWhois?: TailscaleWhoisLookup;
+  /** Optional rate limiter instance; when provided, failed attempts are tracked per IP. */
+  rateLimiter?: AuthRateLimiter;
+  /** Client IP used for rate-limit tracking. Falls back to proxy-aware request IP resolution. */
+  clientIp?: string;
+  /** Optional limiter scope; defaults to shared-secret auth scope. */
+  rateLimitScope?: string;
 }): Promise<GatewayAuthResult> {
  const { auth, connectAuth, req, trustedProxies } = params;
  const tailscaleWhois = params.tailscaleWhois ?? readTailscaleWhoisIdentity;
  const localDirect = isLocalDirectRequest(req, trustedProxies);

+  // --- Rate-limit gate ---
+  const limiter = params.rateLimiter;
+  const ip =
+    params.clientIp ?? resolveRequestClientIp(req, trustedProxies) ?? req?.socket?.remoteAddress;
+  const rateLimitScope = params.rateLimitScope ?? AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET;
+  if (limiter) {
+    const rlCheck: RateLimitCheckResult = limiter.check(ip, rateLimitScope);
+    if (!rlCheck.allowed) {
+      return {
+        ok: false,
+        reason: "rate_limited",
+        rateLimited: true,
+        retryAfterMs: rlCheck.retryAfterMs,
+      };
+    }
+  }
+
  if (auth.allowTailscale && !localDirect) {
    const tailscaleCheck = await resolveVerifiedTailscaleUser({
      req,
      tailscaleWhois,
    });
    if (tailscaleCheck.ok) {
+      // Successful auth – reset rate-limit counter for this IP.
+      limiter?.reset(ip, rateLimitScope);
      return {
        ok: true,
        method: "tailscale",
@@ -244,11 +279,14 @@ export async function authorizeGatewayConnect(params: {
      return { ok: false, reason: "token_missing_config" };
    }
    if (!connectAuth?.token) {
+      limiter?.recordFailure(ip, rateLimitScope);
      return { ok: false, reason: "token_missing" };
    }
    if (!safeEqualSecret(connectAuth.token, auth.token)) {
+      limiter?.recordFailure(ip, rateLimitScope);
      return { ok: false, reason: "token_mismatch" };
    }
+    limiter?.reset(ip, rateLimitScope);
    return { ok: true, method: "token" };
  }

@@ -258,13 +296,17 @@ export async function authorizeGatewayConnect(params: {
      return { ok: false, reason: "password_missing_config" };
    }
    if (!password) {
+      limiter?.recordFailure(ip, rateLimitScope);
      return { ok: false, reason: "password_missing" };
    }
    if (!safeEqualSecret(password, auth.password)) {
+      limiter?.recordFailure(ip, rateLimitScope);
      return { ok: false, reason: "password_mismatch" };
    }
+    limiter?.reset(ip, rateLimitScope);
    return { ok: true, method: "password" };
  }

+  limiter?.recordFailure(ip, rateLimitScope);
  return { ok: false, reason: "unauthorized" };
 }