30b6eccae5
* feat(gateway): add auth rate-limiting & brute-force protection Add a per-IP sliding-window rate limiter to Gateway authentication endpoints (HTTP, WebSocket upgrade, and WS message-level auth). When gateway.auth.rateLimit is configured, failed auth attempts are tracked per client IP. Once the threshold is exceeded within the sliding window, further attempts are blocked with HTTP 429 + Retry-After until the lockout period expires. Loopback addresses are exempt by default so local CLI sessions are never locked out. The limiter is only created when explicitly configured (undefined otherwise), keeping the feature fully opt-in and backward-compatible. * fix(gateway): isolate auth rate-limit scopes and normalize 429 responses --------- Co-authored-by: buerbaumer <buerbaumer@users.noreply.github.com> Co-authored-by: Peter Steinberger <steipete@gmail.com>
78 lines
2.2 KiB
TypeScript
78 lines
2.2 KiB
TypeScript
import type { IncomingMessage, ServerResponse } from "node:http";
|
|
import type { GatewayAuthResult } from "./auth.js";
|
|
import { readJsonBody } from "./hooks.js";
|
|
|
|
export function sendJson(res: ServerResponse, status: number, body: unknown) {
|
|
res.statusCode = status;
|
|
res.setHeader("Content-Type", "application/json; charset=utf-8");
|
|
res.end(JSON.stringify(body));
|
|
}
|
|
|
|
export function sendText(res: ServerResponse, status: number, body: string) {
|
|
res.statusCode = status;
|
|
res.setHeader("Content-Type", "text/plain; charset=utf-8");
|
|
res.end(body);
|
|
}
|
|
|
|
export function sendMethodNotAllowed(res: ServerResponse, allow = "POST") {
|
|
res.setHeader("Allow", allow);
|
|
sendText(res, 405, "Method Not Allowed");
|
|
}
|
|
|
|
export function sendUnauthorized(res: ServerResponse) {
|
|
sendJson(res, 401, {
|
|
error: { message: "Unauthorized", type: "unauthorized" },
|
|
});
|
|
}
|
|
|
|
export function sendRateLimited(res: ServerResponse, retryAfterMs?: number) {
|
|
if (retryAfterMs && retryAfterMs > 0) {
|
|
res.setHeader("Retry-After", String(Math.ceil(retryAfterMs / 1000)));
|
|
}
|
|
sendJson(res, 429, {
|
|
error: {
|
|
message: "Too many failed authentication attempts. Please try again later.",
|
|
type: "rate_limited",
|
|
},
|
|
});
|
|
}
|
|
|
|
export function sendGatewayAuthFailure(res: ServerResponse, authResult: GatewayAuthResult) {
|
|
if (authResult.rateLimited) {
|
|
sendRateLimited(res, authResult.retryAfterMs);
|
|
return;
|
|
}
|
|
sendUnauthorized(res);
|
|
}
|
|
|
|
export function sendInvalidRequest(res: ServerResponse, message: string) {
|
|
sendJson(res, 400, {
|
|
error: { message, type: "invalid_request_error" },
|
|
});
|
|
}
|
|
|
|
export async function readJsonBodyOrError(
|
|
req: IncomingMessage,
|
|
res: ServerResponse,
|
|
maxBytes: number,
|
|
): Promise<unknown> {
|
|
const body = await readJsonBody(req, maxBytes);
|
|
if (!body.ok) {
|
|
sendInvalidRequest(res, body.error);
|
|
return undefined;
|
|
}
|
|
return body.value;
|
|
}
|
|
|
|
export function writeDone(res: ServerResponse) {
|
|
res.write("data: [DONE]\n\n");
|
|
}
|
|
|
|
export function setSseHeaders(res: ServerResponse) {
|
|
res.statusCode = 200;
|
|
res.setHeader("Content-Type", "text/event-stream; charset=utf-8");
|
|
res.setHeader("Cache-Control", "no-cache");
|
|
res.setHeader("Connection", "keep-alive");
|
|
res.flushHeaders?.();
|
|
}
|