gabriel / musehub public
failure_limiter.py python
91 lines 3.0 KB
Raw
sha256:25d96102cb2d69a038356dff26f4633156da2f1faf98fe0d0e4438ff3f367f12 refactor: rename 0054/0055 migrations to standard convention Sonnet 4.6 minor ⚠ breaking 21 days ago
1 """Per-IP auth failure tracking with exponential backoff.
2
3 Tracks consecutive verify failures per IP in memory. After successive
4 failures the IP is blocked for an increasing cooldown period.
5
6 Thresholds (consecutive failures → cooldown):
7 5 → 30 seconds
8 10 → 5 minutes
9 20 → 15 minutes
10
11 The counter resets on the first successful verify from that IP.
12 Stale entries (no activity for 1 hour) are garbage-collected lazily.
13
14 This is in-memory and process-local. For multi-worker deployments move
15 the state to a shared cache (Redis). For single-worker (UVICORN_WORKERS=1)
16 this is sufficient and has zero external dependencies.
17
18 Why this matters even with Ed25519:
19 - Prevents automated stuffing of the verify endpoint with fabricated
20 challenge tokens and random signatures.
21 - Makes enumeration of valid handles via timing measurably slower.
22 - Adds a layer of defence that complements the global 20/min rate limit.
23 """
24
25 import time
26 from fastapi import HTTPException, status
27
28 type _FailureEntry = tuple[int, float, float]
29 type _FailureMap = dict[str, _FailureEntry]
30
31 # (failure_count, first_failure_ts, last_failure_ts)
32 _failures: _FailureMap = {}
33
34 # Cooldown thresholds: (min_failures, cooldown_seconds)
35 _THRESHOLDS: list[tuple[int, int]] = [
36 (20, 900), # 20+ failures → 15 min
37 (10, 300), # 10+ failures → 5 min
38 (5, 30), # 5+ failures → 30 sec
39 ]
40
41 _GC_AFTER_SECONDS = 3600 # drop entries inactive for 1 hour
42
43 def _cooldown_for(count: int) -> int:
44 for min_failures, seconds in _THRESHOLDS:
45 if count >= min_failures:
46 return seconds
47 return 0
48
49 def _gc() -> None:
50 """Remove entries that have been quiet for GC_AFTER_SECONDS."""
51 now = time.monotonic()
52 stale = [ip for ip, (_, _, last) in _failures.items() if now - last > _GC_AFTER_SECONDS]
53 for ip in stale:
54 del _failures[ip]
55
56 def check_failure_limit(ip: str) -> None:
57 """Raise 429 if this IP is currently in a cooldown window.
58
59 Call this at the top of the verify endpoint, before any DB work.
60 """
61 entry = _failures.get(ip)
62 if entry is None:
63 return
64
65 count, _, last_failure_ts = entry
66 cooldown = _cooldown_for(count)
67 if cooldown == 0:
68 return
69
70 elapsed = time.monotonic() - last_failure_ts
71 remaining = cooldown - elapsed
72 if remaining > 0:
73 raise HTTPException(
74 status_code=status.HTTP_429_TOO_MANY_REQUESTS,
75 detail=f"Too many failed auth attempts. Try again in {int(remaining) + 1}s.",
76 headers={"Retry-After": str(int(remaining) + 1)},
77 )
78
79 def record_failure(ip: str) -> None:
80 """Increment the failure counter for this IP after a failed verify."""
81 _gc()
82 now = time.monotonic()
83 if ip in _failures:
84 count, first_ts, _ = _failures[ip]
85 _failures[ip] = (count + 1, first_ts, now)
86 else:
87 _failures[ip] = (1, now, now)
88
89 def record_success(ip: str) -> None:
90 """Reset the failure counter for this IP after a successful verify."""
91 _failures.pop(ip, None)
File History 2 commits
sha256:25d96102cb2d69a038356dff26f4633156da2f1faf98fe0d0e4438ff3f367f12 refactor: rename 0054/0055 migrations to standard convention Sonnet 4.6 minor 21 days ago
sha256:4aed3d8601c8dd3ed37074de35f11f4a9699a0a4b99d43727048fd3f8e6fd13d chore: doc sweep, ignore wrangler build state, misc fixes Sonnet 4.6 minor 23 days ago