Skip to content

Security: add rate limiting / brute-force protection on auth and API-key endpoints #104

Description

@rubenhensen

Problem

There is no rate limiting / brute-force protection on the sensitive paths: the Yivi disclosure/login flow, the /irma proxy, admin login, DNS-verification triggers, and API-key-authenticated endpoints. An attacker can hammer session creation, guess API keys, or flood the IRMA server and DB.

Why it matters

  • Brute-force and abuse protection on auth surfaces.
  • Shields the IRMA server and Postgres from request floods.

Proposal

  • Add a rate-limiting layer in src/hooks.server.ts (or a helper applied to sensitive endpoints), keyed by IP + route, with sensible per-route limits for: session/disclosure start, API-key auth failures, DNS verification, and admin login.
  • Decide and document the cross-replica story — in-memory limits are per-instance; a shared store (e.g. Redis) is needed for consistent limits across replicas.
  • If the intended enforcement point in production is the reverse proxy (nginx), document and configure limits there instead.

Acceptance criteria

  • Sensitive endpoints return 429 past a configurable threshold.
  • Limits configurable via env.
  • Cross-replica behavior (shared store vs per-instance) documented.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestsecuritySecurity-related issue (vulnerability, hardening, or risk)

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions