Merge pull request #90 from evanofslack/limit

Add seperate auth for rate limiting
evanofslack · Jul 24, 2023 · b65ecbe · b65ecbe
2 parents 5429a51 + 0b9cd5f
commit b65ecbe
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 7 deletions.
diff --git a/backend/.env.example b/backend/.env.example
@@ -31,5 +31,7 @@ ANALOGDB_LOG_LEVEL=info
 ANALOGDB_WEBHOOK_URL="https://hooks.slack.com"
 ANALOGDB_AUTH_USERNAME=username
 ANALOGDB_AUTH_PASSWORD=password
+ANALOGDB_RATE_LIMIT_AUTH_USERNAME=username
+ANALOGDB_RATE_LIMIT_AUTH_PASSWORD=password
 ANALOGDB_METRICS_PORT=9090
 ANALOGDB_CACHE_ENABLED=true
diff --git a/backend/config/config.go b/backend/config/config.go
@@ -48,8 +48,10 @@ type Log struct {
 }
 
 type Auth struct {
-	Username string `yaml:"username" env:"AUTH_USERNAME"`
-	Password string `yaml:"password" env:"AUTH_PASSWORD"`
+	Username          string `yaml:"username" env:"AUTH_USERNAME"`
+	Password          string `yaml:"password" env:"AUTH_PASSWORD"`
+	RateLimitUsername string `yaml:"rate_limit_username" env:"RATE_LIMIT_AUTH_USERNAME"`
+	RateLimitPassword string `yaml:"rate_limit_password" env:"RATE_LIMIT_AUTH_PASSWORD"`
 }
 
 type Metrics struct {

diff --git a/backend/docker-compose.yaml b/backend/docker-compose.yaml
@@ -27,6 +27,8 @@ services:
       WEBHOOK_URL: ${ANALOGDB_WEBHOOK_URL}
       AUTH_USERNAME: ${ANALOGDB_AUTH_USERNAME}
       AUTH_PASSWORD: ${ANALOGDB_AUTH_PASSWORD}
+      RATE_LIMIT_AUTH_USERNAME: ${ANALOGDB_RATE_LIMIT_AUTH_USERNAME}
+      RATE_LIMIT_AUTH_PASSWORD: ${ANALOGDB_RATE_LIMIT_AUTH_PASSWORD}
       METRICS_ENABLED: ${ANALOGDB_METRICS_ENABLED}
       METRICS_PORT: ${ANALOGDB_METRICS_PORT}
       CACHE_ENABLED: ${ANALOGDB_CACHE_ENABLED}

diff --git a/backend/server/auth.go b/backend/server/auth.go
@@ -8,7 +8,11 @@ import (
 
 func (s *Server) auth(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		authenticated := s.passBasicAuth(r)
+
+		username := s.basicAuth.Username
+		password := s.basicAuth.Password
+
+		authenticated := s.passBasicAuth(username, password, r)
 		if authenticated {
 			s.logger.Debug().Bool("authenticated", authenticated).Msg("Authorized with basic auth")
 			next.ServeHTTP(w, r)
@@ -20,16 +24,16 @@ func (s *Server) auth(next http.Handler) http.Handler {
 	})
 }
 
-func (s *Server) passBasicAuth(r *http.Request) bool {
+func (s *Server) passBasicAuth(username, password string, r *http.Request) bool {
 	username, password, ok := r.BasicAuth()
 	if !ok {
 		return false
 	}
 
 	usernameHash := sha256.Sum256([]byte(username))
 	passwordHash := sha256.Sum256([]byte(password))
-	expectedUsernameHash := sha256.Sum256([]byte(s.basicAuth.Username))
-	expectedPasswordHash := sha256.Sum256([]byte(s.basicAuth.Password))
+	expectedUsernameHash := sha256.Sum256([]byte(username))
+	expectedPasswordHash := sha256.Sum256([]byte(password))
 
 	usernameMatch := (subtle.ConstantTimeCompare(usernameHash[:], expectedUsernameHash[:]) == 1)
 	passwordMatch := (subtle.ConstantTimeCompare(passwordHash[:], expectedPasswordHash[:]) == 1)

diff --git a/backend/server/middleware.go b/backend/server/middleware.go
@@ -48,7 +48,10 @@ func (s *Server) mountMiddleware() {
 // apply rate limit only if user is not authenticated
 func (s *Server) applyRateLimit(r *http.Request) bool {
 
-	authenticated := s.passBasicAuth(r)
+	rl_username := s.basicAuth.RateLimitUsername
+	rl_password := s.basicAuth.RateLimitPassword
+
+	authenticated := s.passBasicAuth(rl_username, rl_password, r)
 	if authenticated {
 		s.logger.Debug().Bool("authenticated", authenticated).Msg("Bypassing rate limit")
 		return false