fix(security): harden auth, input validation, and session management

- Add login rate limiting (5 attempts / 15 min per IP)
- Add Secure flag on session cookies
- Fix timing attack: always run bcrypt even if user not found
- Log all login attempts (success/fail) with IP and username
- Increase bcrypt cost from 10 to 12
- Reduce default session lifetime from 7 days to 2 hours
- Add email validator (net/mail) and use in certbot RequestSSL
- Add Filename validator (filepath.Clean) for path traversal protection

Author: Fokir

internal/auth/handler.go

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"log/slog"
 	"net/http"
 	"time"
 
@@ -9,10 +10,11 @@ import (
 
 type Handler struct {
 	svc *Service
+	rl  *RateLimiter
 }
 
 func NewHandler(svc *Service) *Handler {
-	return &Handler{svc: svc}
+	return &Handler{svc: svc, rl: NewRateLimiter()}
 }
 
 func (h *Handler) Login(w http.ResponseWriter, r *http.Request) {
@@ -27,17 +29,30 @@ func (h *Handler) Login(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	ip := r.RemoteAddr
+
+	if !h.rl.Allow(ip) {
+		slog.Warn("login rate limit exceeded", "ip", ip, "username", req.Username)
+		httputil.Error(w, http.StatusTooManyRequests, "too many login attempts, try again later")
+		return
+	}
+
 	session, user, err := h.svc.Login(req.Username, req.Password)
 	if err != nil {
+		slog.Warn("login failed", "ip", ip, "username", req.Username)
 		httputil.Error(w, http.StatusUnauthorized, "invalid credentials")
 		return
 	}
 
+	h.rl.Reset(ip)
+	slog.Info("login successful", "ip", ip, "username", req.Username)
+
 	http.SetCookie(w, &http.Cookie{
 		Name:     "session",
 		Value:    session.ID,
 		Path:     "/",
 		HttpOnly: true,
+		Secure:   true,
 		SameSite: http.SameSiteStrictMode,
 		MaxAge:   int(time.Until(session.ExpiresAt).Seconds()),
 	})
@@ -56,6 +71,7 @@ func (h *Handler) Logout(w http.ResponseWriter, r *http.Request) {
 		Value:    "",
 		Path:     "/",
 		HttpOnly: true,
+		Secure:   true,
 		SameSite: http.SameSiteStrictMode,
 		MaxAge:   -1,
 	})

internal/auth/ratelimit.go

@@ -0,0 +1,70 @@
+package auth
+
+import (
+	"sync"
+	"time"
+)
+
+const (
+	maxLoginAttempts = 5
+	loginWindow      = 15 * time.Minute
+)
+
+type loginAttempt struct {
+	count    int
+	windowAt time.Time
+}
+
+type RateLimiter struct {
+	mu       sync.Mutex
+	attempts map[string]*loginAttempt
+}
+
+func NewRateLimiter() *RateLimiter {
+	rl := &RateLimiter{attempts: make(map[string]*loginAttempt)}
+	go rl.cleanup()
+	return rl
+}
+
+// Allow checks if the IP is allowed to attempt login.
+func (rl *RateLimiter) Allow(ip string) bool {
+	rl.mu.Lock()
+	defer rl.mu.Unlock()
+
+	a, ok := rl.attempts[ip]
+	if !ok {
+		rl.attempts[ip] = &loginAttempt{count: 1, windowAt: time.Now().Add(loginWindow)}
+		return true
+	}
+
+	if time.Now().After(a.windowAt) {
+		a.count = 1
+		a.windowAt = time.Now().Add(loginWindow)
+		return true
+	}
+
+	a.count++
+	return a.count <= maxLoginAttempts
+}
+
+// Reset clears the counter for an IP after successful login.
+func (rl *RateLimiter) Reset(ip string) {
+	rl.mu.Lock()
+	defer rl.mu.Unlock()
+	delete(rl.attempts, ip)
+}
+
+func (rl *RateLimiter) cleanup() {
+	ticker := time.NewTicker(5 * time.Minute)
+	defer ticker.Stop()
+	for range ticker.C {
+		rl.mu.Lock()
+		now := time.Now()
+		for ip, a := range rl.attempts {
+			if now.After(a.windowAt) {
+				delete(rl.attempts, ip)
+			}
+		}
+		rl.mu.Unlock()
+	}
+}

internal/auth/service.go

@@ -32,7 +32,7 @@ func (s *Service) EnsureAdminUser(username, password string) error {
 		return nil
 	}
 
-	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	hash, err := bcrypt.GenerateFromPassword([]byte(password), 12)
 	if err != nil {
 		return fmt.Errorf("hash password: %w", err)
 	}
@@ -46,10 +46,20 @@ func (s *Service) EnsureAdminUser(username, password string) error {
 	return nil
 }
 
+// dummyHash is a pre-computed bcrypt hash used to prevent timing attacks.
+// When a user is not found, we still run bcrypt comparison against this hash
+// so the response time is consistent regardless of whether the user exists.
+var dummyHash = func() []byte {
+	h, _ := bcrypt.GenerateFromPassword([]byte("dummy-timing-attack-prevention"), 12)
+	return h
+}()
+
 func (s *Service) Login(username, password string) (*Session, *User, error) {
 	user, err := s.repo.GetUserByUsername(username)
 	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
+			// Constant-time: always run bcrypt even if user doesn't exist
+			bcrypt.CompareHashAndPassword(dummyHash, []byte(password))
 			return nil, nil, fmt.Errorf("invalid credentials")
 		}
 		return nil, nil, fmt.Errorf("get user: %w", err)

internal/config/config.go

@@ -24,7 +24,7 @@ func Load() (*Config, error) {
 		AdminPassword: getEnv("ADMIN_PASSWORD", ""),
 		DBPath:        getEnv("DB_PATH", "system-control.db"),
 		NginxSitesDir: getEnv("NGINX_SITES_DIR", "/etc/nginx/sites-enabled"),
-		SessionMaxAge:     getEnvInt("SESSION_MAX_AGE", 604800), // 7 days
+		SessionMaxAge:     getEnvInt("SESSION_MAX_AGE", 7200), // 2 hours
 		TrafficInterfaces: getEnv("TRAFFIC_INTERFACES", ""),
 		TrafficInterval:   getEnvInt("TRAFFIC_INTERVAL", 10),
 	}

internal/nginx/service.go

@@ -214,6 +214,10 @@ func (s *Service) SetEnabled(id int64, enabled bool) (*Domain, error) {
 }
 
 func (s *Service) RequestSSL(id int64, email string) error {
+	if err := validate.Email(email); err != nil {
+		return fmt.Errorf("email: %w", err)
+	}
+
 	domain, err := s.repo.GetByID(id)
 	if err != nil {
 		return fmt.Errorf("domain not found: %w", err)
@@ -388,9 +392,8 @@ func (s *Service) ImportExternal(filename string) (*Domain, error) {
 		return nil, fmt.Errorf("import is only supported on Linux")
 	}
 
-	// Validate filename to prevent path traversal
-	if strings.Contains(filename, "/") || strings.Contains(filename, "\\") || strings.Contains(filename, "..") {
-		return nil, fmt.Errorf("invalid filename")
+	if err := validate.Filename(filename); err != nil {
+		return nil, err
 	}
 
 	srcPath := filepath.Join(s.sitesDir, filename)

internal/pkg/validate/validate.go

@@ -3,6 +3,8 @@ package validate
 import (
 	"fmt"
 	"net"
+	"net/mail"
+	"path/filepath"
 	"regexp"
 )
 
@@ -35,3 +37,25 @@ func Required(field, value string) error {
 	}
 	return nil
 }
+
+func Email(email string) error {
+	if email == "" {
+		return fmt.Errorf("email is required")
+	}
+	_, err := mail.ParseAddress(email)
+	if err != nil {
+		return fmt.Errorf("invalid email address: %s", email)
+	}
+	return nil
+}
+
+func Filename(name string) error {
+	if name == "" {
+		return fmt.Errorf("filename is required")
+	}
+	cleaned := filepath.Clean(name)
+	if cleaned != name || filepath.IsAbs(name) || cleaned == ".." || cleaned == "." {
+		return fmt.Errorf("invalid filename")
+	}
+	return nil
+}