starred/godoxy
1
0
Fork 0
mirror of https://github.com/yusing/godoxy.git synced 2026-04-25 10:18:59 +02:00
Code Issues 18 Packages Projects Releases 10 Wiki Activity

feat(oidc): make rate limit customizable; per oidc instance rate limit

Browse Source 
- add env variables OIDC_RATE_LIMIT and OIDC_RATE_LIMIT_PERIOD
- default rate limit changed to 10 rps from 1 rps
- rate limit is no longer applied globally
This commit is contained in:
yusing
2025-12-22 10:43:41 +08:00
parent af2975bcc4
commit 1636e19937
2 changed files with 13 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
internal/auth/oidc.go
View File

@@ -32,6 +32,8 @@ type (
allowedUsers []string allowedUsers []string
allowedGroups []string allowedGroups []string
rateLimit *rate.Limiter
onUnknownPathHandler http.HandlerFunc onUnknownPathHandler http.HandlerFunc
} }
@@ -123,6 +125,7 @@ func NewOIDCProvider(issuerURL, clientID, clientSecret string, allowedUsers, all
endSessionURL: endSessionURL, endSessionURL: endSessionURL,
allowedUsers: allowedUsers, allowedUsers: allowedUsers,
allowedGroups: allowedGroups, allowedGroups: allowedGroups,
rateLimit: rate.NewLimiter(rate.Every(common.OIDCRateLimitPeriod), common.OIDCRateLimit),
}, nil }, nil
} }
@@ -165,6 +168,7 @@ func NewOIDCProviderWithCustomClient(baseProvider *OIDCProvider, clientID, clien
endSessionURL: baseProvider.endSessionURL, endSessionURL: baseProvider.endSessionURL,
allowedUsers: baseProvider.allowedUsers, allowedUsers: baseProvider.allowedUsers,
allowedGroups: baseProvider.allowedGroups, allowedGroups: baseProvider.allowedGroups,
rateLimit: baseProvider.rateLimit,
}, nil }, nil
} }
@@ -228,8 +232,6 @@ func (auth *OIDCProvider) HandleAuth(w http.ResponseWriter, r *http.Request) {
} }
} }
var rateLimit = rate.NewLimiter(rate.Every(time.Second), 1)
func (auth *OIDCProvider) LoginHandler(w http.ResponseWriter, r *http.Request) { func (auth *OIDCProvider) LoginHandler(w http.ResponseWriter, r *http.Request) {
if !httputils.GetAccept(r.Header).AcceptHTML() { if !httputils.GetAccept(r.Header).AcceptHTML() {
http.Error(w, "authentication is required", http.StatusForbidden) http.Error(w, "authentication is required", http.StatusForbidden)
@@ -255,7 +257,7 @@ func (auth *OIDCProvider) LoginHandler(w http.ResponseWriter, r *http.Request) {
return return
} }
if !rateLimit.Allow() { if !auth.rateLimit.Allow() {
WriteBlockPage(w, http.StatusTooManyRequests, "auth rate limit exceeded", "Try again", OIDCAuthInitPath) WriteBlockPage(w, http.StatusTooManyRequests, "auth rate limit exceeded", "Try again", OIDCAuthInitPath)
return return
} }

14
internal/common/env.go
View File

@@ -39,12 +39,14 @@ var (
DebugDisableAuth = env.GetEnvBool("DEBUG_DISABLE_AUTH", false) DebugDisableAuth = env.GetEnvBool("DEBUG_DISABLE_AUTH", false)
// OIDC Configuration. // OIDC Configuration.
OIDCIssuerURL = env.GetEnvString("OIDC_ISSUER_URL", "") OIDCIssuerURL = env.GetEnvString("OIDC_ISSUER_URL", "")
OIDCClientID = env.GetEnvString("OIDC_CLIENT_ID", "") OIDCClientID = env.GetEnvString("OIDC_CLIENT_ID", "")
OIDCClientSecret = env.GetEnvString("OIDC_CLIENT_SECRET", "") OIDCClientSecret = env.GetEnvString("OIDC_CLIENT_SECRET", "")
OIDCScopes = env.GetEnvCommaSep("OIDC_SCOPES", "openid, profile, email, groups") OIDCScopes = env.GetEnvCommaSep("OIDC_SCOPES", "openid, profile, email, groups")
OIDCAllowedUsers = env.GetEnvCommaSep("OIDC_ALLOWED_USERS", "") OIDCAllowedUsers = env.GetEnvCommaSep("OIDC_ALLOWED_USERS", "")
OIDCAllowedGroups = env.GetEnvCommaSep("OIDC_ALLOWED_GROUPS", "") OIDCAllowedGroups = env.GetEnvCommaSep("OIDC_ALLOWED_GROUPS", "")
OIDCRateLimit = env.GetEnvInt("OIDC_RATE_LIMIT", 10)
OIDCRateLimitPeriod = env.GetEnvDuation("OIDC_RATE_LIMIT_PERIOD", time.Second)
// metrics configuration // metrics configuration
MetricsDisableCPU = env.GetEnvBool("METRICS_DISABLE_CPU", false) MetricsDisableCPU = env.GetEnvBool("METRICS_DISABLE_CPU", false)