Merge HRT-62: IP-based rate limiting on /auth/login — validated CTO

- In-memory IP rate limiter: 5 attempts / 5min window - 15 min block on exceed, HTTP 429 + Retry-After header - Applied rate_limit_middleware on portal_server.py - Tests: TestLoginRateLimit added (conflict resolved: keep both test classes) Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-27 15:24:07 +02:00
parent 099286b078 7f5573f076
commit 4bf458f1b8
5 changed files with 397 additions and 3 deletions
--- a/saas_auth.py
+++ b/saas_auth.py
@@ -14,6 +14,18 @@ import time
 import json
 from functools import wraps
 from datetime import datetime
+from collections import defaultdict
+from threading import Lock
+
+# ─── Rate limiting login ───────────────────────────────────────────────────────
+_login_attempts: dict = defaultdict(
+    lambda: {"count": 0, "window_start": 0.0, "blocked_until": 0.0}
+)
+_login_lock = Lock()
+
+LOGIN_RATE_MAX = 5  # max tentatives par fenêtre
+LOGIN_RATE_WINDOW = 300  # 5 minutes (en secondes)
+LOGIN_BLOCK_DURATION = 900  # 15 min de blocage après dépassement

 # ─── Blacklist mots de passe faibles ─────────────────────────────────────────
 # HRT-63 — Validation mots de passe faibles
@@ -300,6 +312,37 @@ def login():
    if not email or not password:
        return jsonify({"error": "Email et mot de passe requis."}), 400

+    # ── Rate limit par IP ────────────────────────────────────────
+    ip = request.remote_addr or "unknown"
+    now = time.time()
+
+    with _login_lock:
+        bucket = _login_attempts[ip]
+        # Lever le blocage si la durée est écoulée
+        if now >= bucket["blocked_until"]:
+            if now - bucket["window_start"] >= LOGIN_RATE_WINDOW:
+                bucket["count"] = 0
+                bucket["window_start"] = now
+            bucket["count"] += 1
+            count = bucket["count"]
+            if count > LOGIN_RATE_MAX:
+                bucket["blocked_until"] = now + LOGIN_BLOCK_DURATION
+                retry_after = LOGIN_BLOCK_DURATION
+                blocked = True
+            else:
+                retry_after = int(LOGIN_RATE_WINDOW - (now - bucket["window_start"]))
+                blocked = False
+        else:
+            blocked = True
+            retry_after = int(bucket["blocked_until"] - now)
+
+    if blocked:
+        resp = jsonify({"error": "Trop de tentatives. Réessayez plus tard."})
+        resp.status_code = 429
+        resp.headers["Retry-After"] = str(retry_after)
+        return resp
+    # ─────────────────────────────────────────────────────────────
+
    pw_hash = hash_password(password)
    conn = get_db()
    user = conn.execute(