Skip to content

Add per-client-IP rate limiting and auth-failure lockout#76

Merged
0xFelix merged 3 commits intomainfrom
ratelimit-lockout
Apr 16, 2026
Merged

Add per-client-IP rate limiting and auth-failure lockout#76
0xFelix merged 3 commits intomainfrom
ratelimit-lockout

Conversation

@0xFelix
Copy link
Copy Markdown
Owner

@0xFelix 0xFelix commented Apr 16, 2026

Summary

  • Add token-bucket rate limiter (x/time/rate) and auth-failure lockout per client IP
  • Rate limit returns HTTP 429 (or DynDNS2 abuse token for /nic/update)
  • Lockout with configurable window decay, idle sweep, and stale entry cleanup
  • Defaults: 5 RPS, burst 10, lockout after 10 failures within 900s for 3600s
  • Always enabled (no on/off switch)

Test plan

  • make test passes (config, lockout, limiter tests)
  • make lint passes (0 issues)
  • make build succeeds
  • Manual test: verify rate limit triggers 429 after burst exhausted
  • Manual test: verify lockout triggers after repeated auth failures

🤖 Generated with Claude Code

@0xFelix @claude
feat: Add per-client-IP rate limiting and auth-failure lockout
93f5c9f 
Add token-bucket rate limiter (via golang.org/x/time/rate) and
auth-failure lockout to protect against request floods and brute-force
attacks. Both are always enabled with configurable parameters.
Lockout returns HTTP 429 for generic endpoints and the DynDNS2
'abuse' token for /nic/update.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Felix Matouschek <fmatouschek@redhat.com>
@0xFelix 0xFelix force-pushed the ratelimit-lockout branch from 34f7294 to 93f5c9f Compare April 16, 2026 18:20
0xFelix and others added 2 commits April 16, 2026 20:25
@0xFelix @claude
fix: Set rate limit and lockout config in functional tests
270de56 
The test server configs had zero-value RateLimit and Lockout fields,
causing all requests to be rate-limited immediately.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Felix Matouschek <fmatouschek@redhat.com>
@0xFelix @claude
feat: Make rate limit idle timeout configurable
122e7b1 
Add RATE_LIMIT_IDLE_SECONDS / rateLimit.idleSeconds config option
to control how long an inactive client's token bucket is kept before
being swept. Defaults to 600 seconds (10 minutes).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Felix Matouschek <fmatouschek@redhat.com>
@0xFelix 0xFelix merged commit 254beca into main Apr 16, 2026
5 checks passed
@0xFelix 0xFelix deleted the ratelimit-lockout branch April 16, 2026 18:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@0xFelix