From 29c0247b4bf0b6c5de2fdd11dc6f319937f7b80a Mon Sep 17 00:00:00 2001
From: Pierre Hubert <pierre.git@communiquons.org>
Date: Fri, 2 Jun 2023 11:52:10 +0200
Subject: [PATCH] Add rate limiting

---
 geneit_backend/src/controllers/auth_controller.rs  | 14 ++++++++++++--
 .../src/services/rate_limiter_service.rs           |  3 +++
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/geneit_backend/src/controllers/auth_controller.rs b/geneit_backend/src/controllers/auth_controller.rs
index cb4e418..7b536cc 100644
--- a/geneit_backend/src/controllers/auth_controller.rs
+++ b/geneit_backend/src/controllers/auth_controller.rs
@@ -239,8 +239,18 @@ pub struct StartOpenIDLoginResponse {
 }
 
 /// Start OpenID login
-pub async fn start_openid_login(ip: RemoteIP, req: web::Json<StartOpenIDLoginQuery>) -> HttpResult {
-    let url = openid_service::start_login(&req.provider, ip.0).await?;
+pub async fn start_openid_login(
+    remote_ip: RemoteIP,
+    req: web::Json<StartOpenIDLoginQuery>,
+) -> HttpResult {
+    // Rate limiting
+    if rate_limiter_service::should_block_action(remote_ip.0, RatedAction::StartOpenIDLogin).await?
+    {
+        return Ok(HttpResponse::TooManyRequests().finish());
+    }
+    rate_limiter_service::record_action(remote_ip.0, RatedAction::StartOpenIDLogin).await?;
+
+    let url = openid_service::start_login(&req.provider, remote_ip.0).await?;
 
     Ok(HttpResponse::Ok().json(StartOpenIDLoginResponse { url }))
 }
diff --git a/geneit_backend/src/services/rate_limiter_service.rs b/geneit_backend/src/services/rate_limiter_service.rs
index 18c51ed..e819029 100644
--- a/geneit_backend/src/services/rate_limiter_service.rs
+++ b/geneit_backend/src/services/rate_limiter_service.rs
@@ -9,6 +9,7 @@ pub enum RatedAction {
     CheckResetPasswordTokenFailed,
     RequestNewPasswordResetLink,
     FailedPasswordLogin,
+    StartOpenIDLogin,
 }
 
 impl RatedAction {
@@ -18,6 +19,7 @@ impl RatedAction {
             RatedAction::CheckResetPasswordTokenFailed => "check-reset-password-token",
             RatedAction::RequestNewPasswordResetLink => "req-pwd-reset-lnk",
             RatedAction::FailedPasswordLogin => "failed-login",
+            RatedAction::StartOpenIDLogin => "start-oidc-login",
         }
     }
 
@@ -27,6 +29,7 @@ impl RatedAction {
             RatedAction::CheckResetPasswordTokenFailed => 100,
             RatedAction::RequestNewPasswordResetLink => 5,
             RatedAction::FailedPasswordLogin => 15,
+            RatedAction::StartOpenIDLogin => 30,
         }
     }