diff --git a/geneit_backend/src/controllers/auth_controller.rs b/geneit_backend/src/controllers/auth_controller.rs index cb4e418..7b536cc 100644 --- a/geneit_backend/src/controllers/auth_controller.rs +++ b/geneit_backend/src/controllers/auth_controller.rs @@ -239,8 +239,18 @@ pub struct StartOpenIDLoginResponse { } /// Start OpenID login -pub async fn start_openid_login(ip: RemoteIP, req: web::Json) -> HttpResult { - let url = openid_service::start_login(&req.provider, ip.0).await?; +pub async fn start_openid_login( + remote_ip: RemoteIP, + req: web::Json, +) -> HttpResult { + // Rate limiting + if rate_limiter_service::should_block_action(remote_ip.0, RatedAction::StartOpenIDLogin).await? + { + return Ok(HttpResponse::TooManyRequests().finish()); + } + rate_limiter_service::record_action(remote_ip.0, RatedAction::StartOpenIDLogin).await?; + + let url = openid_service::start_login(&req.provider, remote_ip.0).await?; Ok(HttpResponse::Ok().json(StartOpenIDLoginResponse { url })) } diff --git a/geneit_backend/src/services/rate_limiter_service.rs b/geneit_backend/src/services/rate_limiter_service.rs index 18c51ed..e819029 100644 --- a/geneit_backend/src/services/rate_limiter_service.rs +++ b/geneit_backend/src/services/rate_limiter_service.rs @@ -9,6 +9,7 @@ pub enum RatedAction { CheckResetPasswordTokenFailed, RequestNewPasswordResetLink, FailedPasswordLogin, + StartOpenIDLogin, } impl RatedAction { @@ -18,6 +19,7 @@ impl RatedAction { RatedAction::CheckResetPasswordTokenFailed => "check-reset-password-token", RatedAction::RequestNewPasswordResetLink => "req-pwd-reset-lnk", RatedAction::FailedPasswordLogin => "failed-login", + RatedAction::StartOpenIDLogin => "start-oidc-login", } } @@ -27,6 +29,7 @@ impl RatedAction { RatedAction::CheckResetPasswordTokenFailed => 100, RatedAction::RequestNewPasswordResetLink => 5, RatedAction::FailedPasswordLogin => 15, + RatedAction::StartOpenIDLogin => 30, } }