Skip to content

Auth is handled before the ratelimiter middleware #325

New issue
New issue
Open
Open
Auth is handled before the ratelimiter middleware#325
Assignees
caarlos0
Labels
enhancementNew feature or request
@shaunco

Description

@shaunco
shaunco
opened on Aug 26, 2024

Describe the bug
Rate limiting (fail2ban) is usually used to prevent brute force auth attacks against a server. Wish offers both authentication and ratelimiting, but seems to call the auth handler first and then only calls the ratelimiter middleware if auth succeeds. Calling the rate limiter first produces the desired effect of preventing brute force auth attacks.

To Reproduce

s, err := wish.NewServer(
	wish.WithAddress(":2222"),
	wish.WithHostKeyPath(myHostKeyPath),
	wish.WithPasswordAuth(func(ctx ssh.Context, password string) bool {
		return password == "password"
	}),
	wish.WithMiddleware(
		ratelimiter.Middleware(ratelimiter.NewRateLimiter(1, 2, 1000)),
	),
)

In the above server, auth is always called - regardless of rate limits, and the ratelimiter Middleware is only called if auth succeeds (returns true).

Expected behavior
Rate limiting should happen before auth, perhaps via s.ConnCallback instead of middleware.

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions