Updating rate limits to also use TOML
This commit is contained in:
🐙PiperYxzzy
@@ -8,22 +8,26 @@ import (
|
||||
"github.com/BurntSushi/toml"
|
||||
)
|
||||
|
||||
type DbConfig struct {
|
||||
Dialect string `toml:"dialect"`
|
||||
Username string `toml:"username"`
|
||||
PasswordSecret string `toml:"password-secret"`
|
||||
Url string `toml:"url"`
|
||||
Port string `toml:"port"`
|
||||
Name string `toml:"name"`
|
||||
}
|
||||
|
||||
type StackConfiguration struct {
|
||||
ConfigLoaded bool
|
||||
|
||||
AllowFreshAdminGeneration bool
|
||||
AdminEmails []string
|
||||
AdminHmacEnv string
|
||||
UserHmacEnv string
|
||||
AuthedRateLimitConfig string
|
||||
UnauthedRateLimitConfig string
|
||||
AllowFreshAdminGeneration bool `toml:"gen-fresh-admin"`
|
||||
AdminEmails []string `toml:"admin-emails"`
|
||||
AdminHmacEnv string `toml:"admin-hmac-env"`
|
||||
UserHmacEnv string `toml:"user-hmac-env"`
|
||||
AuthedRateLimitConfig string `toml:"auth-rate-limit-defs"`
|
||||
UnauthedRateLimitConfig string `toml:"unauth-rate-limit-defs"`
|
||||
|
||||
DbDialect string
|
||||
DbUsername string
|
||||
DbPasswordSecret string
|
||||
DbUrl string
|
||||
DbPort string
|
||||
DbName string
|
||||
Db DbConfig `toml:"db"`
|
||||
}
|
||||
|
||||
var Environment = os.Getenv("STACK_ENVIRONMENT")
|
||||
@@ -60,5 +64,5 @@ func LoadConfig() {
|
||||
|
||||
configInternal.ConfigLoaded = true
|
||||
|
||||
log.Printf("Loaded Config for stack '%s': %+v", Environment, configInternal)
|
||||
log.Printf("Loaded Config for stack '%s':\n%+v\n", Environment, configInternal)
|
||||
}
|
||||
|
||||
@@ -1,13 +1,14 @@
|
||||
AllowFreshAdminGeneration = true
|
||||
AdminEmails = ["admin@admin.invalid"]
|
||||
AdminHmacEnv = "ADMIN_HMAC_ENV"
|
||||
UserHmacEnv = "USER_HMAC_ENV"
|
||||
AuthedRateLimitConfig = "ratelimit.auth.json"
|
||||
UnauthedRateLimitConfig = "ratelimit.unauth.json"
|
||||
gen-fresh-admin = true
|
||||
admin-emails = ["admin@admin.invalid"]
|
||||
admin-hmac-env = "ADMIN_HMAC_ENV"
|
||||
user-hmac-env = "USER_HMAC_ENV"
|
||||
auth-rate-limit-defs = "ratelimit.auth.toml"
|
||||
unauth-rate-limit-defs = "ratelimit.unauth.toml"
|
||||
|
||||
DbDialect = "sqlite"
|
||||
DbUrl = "prepack.db"
|
||||
DbUsername = ""
|
||||
DbPasswordSecret = ""
|
||||
DbPort = ""
|
||||
DbName = ""
|
||||
[db]
|
||||
dialect = "sqlite"
|
||||
url = "prepack.db"
|
||||
username = ""
|
||||
password-secret = ""
|
||||
port = ""
|
||||
name = ""
|
||||
@@ -1,17 +0,0 @@
|
||||
{
|
||||
"": {"seconds": 60, "max": 30, "_comment": "Global ratelimit."},
|
||||
|
||||
"GET:/v1/sec/doot":
|
||||
{"seconds": 5, "max": 3, "_comment": "One DPS (Doot Per Second) for monitoring?"},
|
||||
|
||||
"GET:/v1/sec/2fa-doot":
|
||||
{"seconds": 10, "max": 1, "_comment": "2FA doot probably doesn't need much usage at all, mainly exists as a proof of concept."},
|
||||
|
||||
"GET:/v1/adm/doot":
|
||||
{"seconds": 5, "max": 3, "_comment": "One DPS (Doot Per Second) for monitoring?"},
|
||||
|
||||
"GET:/v1/adm/2fa-doot":
|
||||
{"seconds": 10, "max": 1, "_comment": "2FA doot probably doesn't need much usage at all, mainly exists as a proof of concept."}
|
||||
|
||||
|
||||
}
|
||||
29
config/dev/ratelimit.auth.toml
Normal file
29
config/dev/ratelimit.auth.toml
Normal file
@@ -0,0 +1,29 @@
|
||||
[[Rules]]
|
||||
# Global Ratelimit
|
||||
match = ""
|
||||
seconds = 60
|
||||
max = 30
|
||||
|
||||
[[Rules]]
|
||||
# One DPS (Doot Per Second) for monitoring
|
||||
match = "GET:/v1/sec/doot"
|
||||
seconds = 5
|
||||
max = 30
|
||||
|
||||
[[Rules]]
|
||||
# 2FA doot probably doesn't need much usage at all, mainly exists as a proof of concept.
|
||||
match = "GET:/v1/sec/2fa-doot"
|
||||
seconds = 10
|
||||
max = 1
|
||||
|
||||
[[Rules]]
|
||||
# One Admin DPS (Doot Per Second) for monitoring
|
||||
match = "GET:/v1/adm/doot"
|
||||
seconds = 5
|
||||
max = 3
|
||||
|
||||
[[Rules]]
|
||||
# 2FA doot probably doesn't need much usage at all, mainly exists as a proof of concept.
|
||||
match = "GET:/v1/adm/2fa-doot"
|
||||
seconds = 10
|
||||
max = 1
|
||||
@@ -1,19 +0,0 @@
|
||||
{
|
||||
"":
|
||||
{"seconds": 60, "max": 30, "_comment": "Global unauthenticated ratelimit."},
|
||||
|
||||
"GET:/v1/doot":
|
||||
{"seconds": 5, "max": 5, "_comment": "Unauthenticated DOOT for server monitoring."},
|
||||
|
||||
"POST:/v1/login":
|
||||
{"seconds": 60, "max": 3, "_comment": "Prevent bruteforce attacks on Login."},
|
||||
|
||||
"POST:/v1/admin":
|
||||
{"seconds": 60, "max": 1, "_comment": "Prevent bruteforce attacks on Admin Login."},
|
||||
|
||||
"POST:/v1/signup":
|
||||
{"seconds": 1800, "max": 1, "_comment": "Prevent spam account creation."},
|
||||
|
||||
"POST:/v1/forgot":
|
||||
{"seconds": 60, "max": 1, "_comment": "Slow down 'forgot password' enumeration/spam."}
|
||||
}
|
||||
35
config/dev/ratelimit.unauth.toml
Normal file
35
config/dev/ratelimit.unauth.toml
Normal file
@@ -0,0 +1,35 @@
|
||||
[[Rules]]
|
||||
# Global unauthenticated ratelimit.
|
||||
match = ""
|
||||
seconds = 60
|
||||
max = 30
|
||||
|
||||
[[Rules]]
|
||||
# Unauthenticated DOOT for server monitoring.
|
||||
match = "GET:/v1/doot"
|
||||
seconds = 5
|
||||
max = 5
|
||||
|
||||
[[Rules]]
|
||||
# Prevent bruteforce attacks on Login.
|
||||
match = "POST:/v1/login"
|
||||
seconds = 60
|
||||
max = 3
|
||||
|
||||
[[Rules]]
|
||||
# Prevent bruteforce attacks on Admin Login.
|
||||
match = "POST:/v1/admin"
|
||||
seconds = 60
|
||||
max = 1
|
||||
|
||||
[[Rules]]
|
||||
# Prevent spam account creation.
|
||||
match = "GET:/v1/adm/2fa-doot"
|
||||
seconds = 1800
|
||||
max = 1
|
||||
|
||||
[[Rules]]
|
||||
# Slow down 'forgot password' enumeration/spam.
|
||||
match = "POST:/v1/forgot"
|
||||
seconds = 60
|
||||
max = 1
|
||||
Reference in New Issue
Block a user