[I] Implement rate limiting on authentication endpoints (tooling-trusted-releases)

Fri, 16 Jan 2026 13:27:53 -0800 


andrewmusselman opened a new issue, #535:
URL: https://github.com/apache/tooling-trusted-releases/issues/535

   ## Summary
   
   The application lacks rate limiting on authentication endpoints, exposing it 
to brute force attacks, credential stuffing, and denial of service.
   
   ## ASVS Requirements
   
   - 6.3.1 - Brute force protection controls
   - 10.4.4 - Token issuance rate limiting
   - 1.5.1 - DoS protection
   
   ## Related Audit Reports
   
   - [Internal Access #402](ASVS/internal-access-402.md) - Section 10.4.4
   - [Basic Access #404](ASVS/basic-access-404.md) - Issue 13.4.1-2
   - [Brute Force #405](ASVS/brute-force-identification-405.md) - Section 6.3.1
   - [Denial of Service #407](ASVS/denial-of-service-407.md) - Issue 2
   - [Documentation #408](ASVS/documentation-408.md) - Section 6.1.1
   
   ## Affected Files
   
   - `atr/api/__init__.py` - JWT creation endpoint (lines 361-380)
   - `atr/post/tokens.py` - PAT creation (lines 36-40)
   
   ## Current Behavior
   
   From `notes/api-security.md:38`:
   > "We do not rate limit PAT or JWT issuance."
   
   ## Risk
   
   - Brute force attacks on PAT values
   - Credential stuffing attacks
   - Token flooding/denial of service
   - User enumeration via timing attacks
   
   ## Recommended Fix
   
   ```python
   from quart_rate_limiter import RateLimiter, rate_limit
   from datetime import timedelta
   
   limiter = RateLimiter(app)
   
   @api.route("/jwt/create", methods=["POST"])
   @rate_limit(10, timedelta(minutes=1))  # 10 requests per minute
   async def jwt_create(data: models.api.JwtCreateArgs) -> DictResponse:
       # existing code
   
   @api.route("/tokens", methods=["POST"])
   @rate_limit(5, timedelta(minutes=1))  # 5 requests per minute
   async def token_create():
       # existing code
   ```
   
   ## Acceptance Criteria
   
   - [ ] Rate limiting implemented on `/api/jwt/create` endpoint
   - [ ] Rate limiting implemented on PAT creation endpoint
   - [ ] Rate limiting implemented on web JWT generation (`/tokens/jwt`)
   - [ ] Failed attempt tracking added
   - [ ] Account lockout mechanism after N failed attempts
   - [ ] Rate limit headers returned to clients (X-RateLimit-*)
   - [ ] Documentation updated in `notes/api-security.md`


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to