Skip to content

Commit 9b4164d

Browse files
committed
security: rate-limit /auth/refresh (T2-6 scoped)
2 parents 223387b + 75dc1ae commit 9b4164d

1 file changed

Lines changed: 8 additions & 1 deletion

File tree

internal/gateway/router.go

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -155,6 +155,13 @@ func NewRouter(p RouterParams) http.Handler {
155155
p.AuthRateLimiters.LoginCfg,
156156
"register",
157157
)
158+
// Refresh is unauthenticated (the access token is expired/absent) and rotates
159+
// sessions; throttle per-IP so a stolen refresh token can't be hammered.
160+
refreshRL := middleware.AuthRateLimit(
161+
p.AuthRateLimiters.Login,
162+
p.AuthRateLimiters.LoginCfg,
163+
"refresh",
164+
)
158165
acceptInviteRL := middleware.AuthRateLimit(
159166
p.AuthRateLimiters.AcceptInvitation,
160167
p.AuthRateLimiters.AcceptInvitationCfg,
@@ -173,7 +180,7 @@ func NewRouter(p RouterParams) http.Handler {
173180
api.With(registerRL).Post("/auth/register", p.IdentityHandler.Register)
174181
api.With(loginRL).Post("/auth/login", p.IdentityHandler.Login)
175182
api.Post("/auth/verify-email", p.IdentityHandler.VerifyEmail)
176-
api.Post("/auth/refresh", p.IdentityHandler.RefreshToken)
183+
api.With(refreshRL).Post("/auth/refresh", p.IdentityHandler.RefreshToken)
177184

178185
// Public webhook endpoints (authenticated by their respective handlers).
179186
api.Post("/webhooks/remnawave", p.WebhookHandler.ServeHTTP)

0 commit comments

Comments
 (0)