security: brute-force protection on auth endpoints (v1.1.0)
- Nginx rate limit: 20 req/min per IP on /api/auth/login and /register - slowapi rate limit: 10/min on login, 5/hour on register (Redis-backed) - Real client IP extracted from X-Forwarded-For for accurate per-IP limiting Authored by: Jack Levy
This commit is contained in:
Jack Levy
13
backend/app/core/limiter.py
Normal file
13
backend/app/core/limiter.py
Normal file
@@ -0,0 +1,13 @@
|
||||
from slowapi import Limiter
|
||||
|
||||
|
||||
def _get_real_ip(request) -> str:
|
||||
"""Extract real client IP, respecting X-Forwarded-For from trusted proxies."""
|
||||
forwarded = request.headers.get("X-Forwarded-For")
|
||||
if forwarded:
|
||||
return forwarded.split(",")[0].strip()
|
||||
return request.client.host if request.client else "unknown"
|
||||
|
||||
|
||||
# Redis DB 1 keeps rate-limit counters separate from Celery (DB 0)
|
||||
limiter = Limiter(key_func=_get_real_ip, storage_uri="redis://redis:6379/1")
|
||||
Reference in New Issue
Block a user