Skip to content

Add rate limiting to unauthenticated routes#19593

Merged
sfreiberg merged 8 commits intomasterfrom
sfreiberg/add-rate-limits
Jan 4, 2023
Merged

Add rate limiting to unauthenticated routes#19593
sfreiberg merged 8 commits intomasterfrom
sfreiberg/add-rate-limits

Conversation

@sfreiberg
Copy link
Copy Markdown
Contributor

@sfreiberg sfreiberg commented Dec 21, 2022
edited
Loading

Purpose

Add rate limiting to unauthenticated routes and fix a bug in the rate limiter logic.

Implementation

  1. Fix a bug in the rate limiter check that effectively circumvented the rate limiter and add a test
  2. Move the rate limiter onto the Handler struct so it can be used by the enterprise version
  3. Delete a legacy (deprecated) route and update tests
  4. Add limiter to /webapi/sessions/web and /webapi/github/login/console

@sfreiberg sfreiberg requested a review from jentfoo December 30, 2022 16:51
@sfreiberg sfreiberg marked this pull request as ready for review December 30, 2022 22:57
@sfreiberg sfreiberg changed the title [WIP] Add rate limiting to unauthenticated routes Add rate limiting to unauthenticated routes Dec 30, 2022
codingllama
codingllama reviewed Jan 3, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@codingllama codingllama left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add rate limiting to unauthenticated routes and fix a bug in the rate limiter logic.

Sorry, what was the bug?

Comment thread lib/web/apiserver_test.go Outdated
Comment thread lib/web/apiserver_test.go Outdated
Comment thread lib/web/apiserver_test.go
Comment thread lib/web/apiserver_test.go
@sfreiberg
Copy link
Copy Markdown
Contributor Author

sfreiberg commented Jan 3, 2023

@codingllama The rate limiter was checking the remote IP address AND port. Multiple requests using something like curl would never trigger the rate limiter because each new request would come from a different remote port.

@codingllama
Copy link
Copy Markdown
Contributor

codingllama commented Jan 3, 2023

@codingllama The rate limiter was checking the remote IP address AND port. Multiple requests using something like curl would never trigger the rate limiter because each new request would come from a different remote port.

Well spotted. Thanks for the fix!

@sfreiberg sfreiberg enabled auto-merge (squash) January 4, 2023 19:09
@sfreiberg sfreiberg force-pushed the sfreiberg/add-rate-limits branch from 2c9125a to 3d60c4d Compare January 4, 2023 19:09
@sfreiberg sfreiberg merged commit 9726a3d into master Jan 4, 2023
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jan 4, 2023

@sfreiberg See the table below for backport results.

Branch Result
branch/v10 Failed
branch/v11 Failed
branch/v9 Failed

This was referenced Jan 4, 2023
Merged
Merged
@sfreiberg sfreiberg deleted the sfreiberg/add-rate-limits branch January 4, 2023 21:00
@sfreiberg
Copy link
Copy Markdown
Contributor Author

sfreiberg commented Jan 4, 2023
edited
Loading

Rate limiting wasn't available in v9 so these changes will only be backported to v10 and v11.

@avatus
Copy link
Copy Markdown
Contributor

avatus commented Jan 4, 2023
edited
Loading

I missed this in the review (was testing not this part I guess?) but this broke logging in via the webapi.
Removing this line here

results in the web login form giving the error
Screenshot 2023-01-04 at 4 24 31 PM

Apparently the old "REMOVE IN 5.1" comment wasn't quite accurate. Adding this line back in fixes the login issue

h.POST("/webapi/sessions", httplib.WithCSRFProtection(h.createWebSession))

Although I suppose the frontend change to call the new endpoint would probably be a better fix.

@avatus avatus mentioned this pull request Jan 4, 2023
Merged
@avatus
Copy link
Copy Markdown
Contributor

avatus commented Jan 4, 2023

I've put up a PR here on the webapps repo for a fix so we can roll with this code and actually deprecate this endpoint. Would love a set of eyes and any historical info around this part of the code base

@codingllama
Copy link
Copy Markdown
Contributor

codingllama commented Jan 5, 2023

Yep, cleaning up those "DELETE IN" lines without double-checking can be a risky move. I almost pointed it out, but OTOH we do want people to address them. Thanks for following up on it.

@sfreiberg
Copy link
Copy Markdown
Contributor Author

sfreiberg commented Jan 5, 2023

Apologies for this. I remember explicitly testing this locally before I committed but must have forgot to restart the server. In retrospect I should have done this in a separate PR and only on master. Also for these kinds of comments we should open an issue and link to it in the comment so that history is easy for anybody to find.

@sfreiberg sfreiberg mentioned this pull request Jan 6, 2023
Closed
@Joerger
Copy link
Copy Markdown
Contributor

Joerger commented Feb 21, 2023

@sfreiberg Is there a reason why POST /webapi/ssh/certs was not given a rate limiter? This is the endpoint used for normal Password/OTP login. If not, I plan on adding the limiter as part of #21005.

@jentfoo
Copy link
Copy Markdown
Contributor

jentfoo commented Feb 22, 2023

@Joerger I filled this issue to track the additional rate limit gap you mentioned: https://github.com/gravitational/teleport-private/issues/403

Let me know if I can help with that change as part of #21005

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@avatus avatus avatus approved these changes

@codingllama codingllama codingllama approved these changes

+1 more reviewer

@jentfoo jentfoo jentfoo approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@sfreiberg @codingllama @avatus @Joerger @jentfoo