Rate-limit login attempts to 5/minute/account

petergeneric · petergeneric · commit 099d7b3ece56 · 2026-04-14T00:13:02.000+01:00
diff --git a/user-manager/service/src/main/java/com/peterphi/usermanager/rest/impl/UserManagerOAuthServiceImpl.java b/user-manager/service/src/main/java/com/peterphi/usermanager/rest/impl/UserManagerOAuthServiceImpl.java
@@ -33,6 +33,7 @@
 import com.peterphi.usermanager.rest.iface.oauth2server.types.OAuth2TokenResponse;
 import com.peterphi.usermanager.rest.marshaller.UserMarshaller;
 import com.peterphi.usermanager.rest.type.UserManagerUser;
+import com.peterphi.usermanager.service.LoginRateLimiter;
 import com.peterphi.usermanager.util.UserManagerBearerToken;
 import org.apache.commons.lang.StringUtils;
 import org.jboss.resteasy.util.BasicAuthHelper;
@@ -110,6 +111,9 @@ public class UserManagerOAuthServiceImpl implements UserManagerOAuthService
 	@Inject
 	UserMarshaller marshaller;
 
+	@Inject
+	LoginRateLimiter loginRateLimiter;
+
 
 	@Override
 	@AuthConstraint(id = "oauth2server_auth", role = "authenticated", comment = "Must be logged in to the User Manager to initiate a service login")
@@ -455,10 +459,18 @@ public String getToken(final String grantType,
 			{
 				// N.B. Don't expect the clientSecret from this call
 
+				// Enforce per-account failed-login rate limit (defaults to 5 failures per 60s window)
+				loginRateLimiter.checkAllowed(username);
+
 				final UserEntity user = userDao.login(username, password);
 
 				if (user == null)
+				{
+					loginRateLimiter.recordFailure(username);
 					throw new IllegalArgumentException("Incorrect username/password combination");
+				}
+
+				loginRateLimiter.recordSuccess(username);
 
 				// Accept the use of the service and create a new session
 				session = createSession(user.getId(), clientId, redirectUri, "password-to-token", true);
diff --git a/user-manager/service/src/main/java/com/peterphi/usermanager/service/LoginRateLimitedException.java b/user-manager/service/src/main/java/com/peterphi/usermanager/service/LoginRateLimitedException.java
@@ -0,0 +1,23 @@
+package com.peterphi.usermanager.service;
+
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+
+/**
+ * Thrown when a login attempt is refused because the account has exceeded the permitted number of
+ * failed login attempts inside the rolling window.
+ *
+ * <p>Extends {@link WebApplicationException} and carries a pre-built 429 Too Many Requests response, so
+ * that when this exception is thrown from a JAX-RS resource method without being caught, the framework
+ * automatically returns a 429 to the caller rather than a generic 500. Callers that want to render a
+ * custom body (e.g. the interactive login UI) can still catch this exception explicitly before it
+ * reaches the JAX-RS layer.</p>
+ */
+public class LoginRateLimitedException extends WebApplicationException
+{
+	public LoginRateLimitedException(final String message)
+	{
+		super(message, Response.status(429).type(MediaType.TEXT_PLAIN).entity(message).build());
+	}
+}
diff --git a/user-manager/service/src/main/java/com/peterphi/usermanager/service/LoginRateLimiter.java b/user-manager/service/src/main/java/com/peterphi/usermanager/service/LoginRateLimiter.java
@@ -0,0 +1,120 @@
+package com.peterphi.usermanager.service;
+
+import com.google.inject.Inject;
+import com.google.inject.Singleton;
+import com.google.inject.name.Named;
+import com.peterphi.std.annotation.Doc;
+import org.apache.commons.lang.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.ArrayDeque;
+import java.util.Deque;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * In-memory per-account sliding window rate limiter for login attempts. After {@link #maxFailures} failed
+ * attempts inside the trailing {@link #windowSeconds} window, further attempts for that account are
+ * refused by throwing {@link LoginRateLimitedException} until enough time has passed for the oldest
+ * recorded failures to age out of the window.
+ *
+ * <p>Successful logins immediately clear the record for that account. Account keys are normalised to
+ * lower-case so that variations in letter-case cannot bypass the limit.</p>
+ */
+@Singleton
+public class LoginRateLimiter
+{
+	private static final Logger log = LoggerFactory.getLogger(LoginRateLimiter.class);
+
+	@Inject(optional = true)
+	@Named("auth.login.rate-limit.max-failures")
+	@Doc("Maximum number of failed login attempts permitted per account inside the rolling window (default 5)")
+	int maxFailures = 5;
+
+	@Inject(optional = true)
+	@Named("auth.login.rate-limit.window-seconds")
+	@Doc("Rolling window, in seconds, over which failed login attempts are counted (default 60)")
+	int windowSeconds = 60;
+
+	private final Map<String, Deque<Long>> failures = new HashMap<>();
+
+
+	/**
+	 * Throws {@link LoginRateLimitedException} if the account has exceeded {@link #maxFailures} failures
+	 * inside the trailing {@link #windowSeconds} window. Otherwise returns silently.
+	 */
+	public synchronized void checkAllowed(final String account)
+	{
+		if (StringUtils.isBlank(account))
+			return;
+
+		final String key = key(account);
+		final Deque<Long> timestamps = failures.get(key);
+
+		if (timestamps == null)
+			return;
+
+		expire(timestamps);
+
+		if (timestamps.isEmpty())
+		{
+			failures.remove(key);
+			return;
+		}
+
+		if (timestamps.size() >= maxFailures)
+		{
+			log.warn("Login rate limit exceeded for account '{}' ({} failures inside {}s window)",
+			         key,
+			         timestamps.size(),
+			         windowSeconds);
+
+			throw new LoginRateLimitedException("Too many failed login attempts for this account. Please wait a minute before trying again.");
+		}
+	}
+
+
+	/**
+	 * Record a failed login attempt for an account.
+	 */
+	public synchronized void recordFailure(final String account)
+	{
+		if (StringUtils.isBlank(account))
+			return;
+
+		final String key = key(account);
+		final Deque<Long> timestamps = failures.computeIfAbsent(key, k -> new ArrayDeque<>());
+
+		expire(timestamps);
+
+		timestamps.addLast(System.currentTimeMillis());
+	}
+
+
+	/**
+	 * Clear the failure record for an account (call after a successful login).
+	 */
+	public synchronized void recordSuccess(final String account)
+	{
+		if (StringUtils.isBlank(account))
+			return;
+
+		failures.remove(key(account));
+	}
+
+
+	private void expire(final Deque<Long> timestamps)
+	{
+		final long cutoff = System.currentTimeMillis() - (windowSeconds * 1000L);
+
+		while (!timestamps.isEmpty() && timestamps.peekFirst() < cutoff)
+			timestamps.removeFirst();
+	}
+
+
+	private static String key(final String account)
+	{
+		return StringUtils.lowerCase(StringUtils.trimToEmpty(account));
+	}
+}
diff --git a/user-manager/service/src/main/java/com/peterphi/usermanager/ui/impl/LoginUIServiceImpl.java b/user-manager/service/src/main/java/com/peterphi/usermanager/ui/impl/LoginUIServiceImpl.java
@@ -15,6 +15,8 @@
 import com.peterphi.usermanager.guice.authentication.UserAuthenticationService;
 import com.peterphi.usermanager.guice.authentication.UserLogin;
 import com.peterphi.usermanager.guice.token.CSRFTokenStore;
+import com.peterphi.usermanager.service.LoginRateLimitedException;
+import com.peterphi.usermanager.service.LoginRateLimiter;
 import com.peterphi.usermanager.service.PasswordResetService;
 import com.peterphi.usermanager.service.RedirectValidatorService;
 import com.peterphi.usermanager.ui.api.LoginUIService;
@@ -70,6 +72,9 @@ public class LoginUIServiceImpl implements LoginUIService
 	@Inject
 	RedirectValidatorService redirectValidator;
 
+	@Inject
+	LoginRateLimiter loginRateLimiter;
+
 
 	@Override
 	@AuthConstraint(skip = true, comment = "login page")
@@ -121,11 +126,25 @@ else if (!isTokenValid)
 						"An unexpected browser security error occurred. Please try closing your browser window and enter the system again.");
 			}
 
+			// Enforce per-account failed-login rate limit (defaults to 5 failures per 60s window)
+			try
+			{
+				loginRateLimiter.checkAllowed(user);
+			}
+			catch (LoginRateLimitedException e)
+			{
+				final String page = getLogin(returnTo, e.getMessage());
+
+				return Response.status(429).entity(page).build();
+			}
+
 			final UserEntity account = authenticationService.authenticate(user, password, false);
 
 			if (account != null)
 			{
-				// Successful login
+				// Successful login - clear any recorded failures for this account
+				loginRateLimiter.recordSuccess(user);
+
 				login.reload(account);
 
 				final Response.ResponseBuilder builder;
@@ -154,6 +173,9 @@ else if (!isTokenValid)
 			}
 			else
 			{
+				// Record the failure against the per-account rate limiter
+				loginRateLimiter.recordFailure(user);
+
 				// Send the user back to the login page
 				final String page = getLogin(returnTo, "E-mail/password incorrect");
 
