feat(security): add IP-based rate limiting on /api/v1/auth/login — fix brute force HRT-62

- saas_auth.py: in-memory sliding-window rate limiter (5 attempts/5min, 15min block) using collections.defaultdict + threading.Lock, stdlib only, no new deps - portal_server.py: register rate_limit_middleware + access_log_middleware (was missing, leaving global 100req/min limit unApplied on portal routes) - tests/security/test_security.py: add TestLoginRateLimit class with test_login_brute_force_blocked_after_5_attempts and test_login_429_has_retry_after_header Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-27 14:50:08 +02:00
parent 82d6bdafba
commit 7f5573f076
3 changed files with 98 additions and 3 deletions
--- a/saas_auth.py
+++ b/saas_auth.py
@@ -14,6 +14,18 @@ import time
 import json
 from functools import wraps
 from datetime import datetime
+from collections import defaultdict
+from threading import Lock
+
+# ─── Rate limiting login ───────────────────────────────────────────────────────
+_login_attempts: dict = defaultdict(
+    lambda: {"count": 0, "window_start": 0.0, "blocked_until": 0.0}
+)
+_login_lock = Lock()
+
+LOGIN_RATE_MAX = 5  # max tentatives par fenêtre
+LOGIN_RATE_WINDOW = 300  # 5 minutes (en secondes)
+LOGIN_BLOCK_DURATION = 900  # 15 min de blocage après dépassement

 # ─── Config ───────────────────────────────────────────────────────────────────
 DB_PATH = os.environ.get("TURF_SAAS_DB", "/home/h3r7/turf_saas/turf_saas.db")
@@ -184,6 +196,37 @@ def login():
    if not email or not password:
        return jsonify({"error": "Email et mot de passe requis."}), 400

+    # ── Rate limit par IP ────────────────────────────────────────
+    ip = request.remote_addr or "unknown"
+    now = time.time()
+
+    with _login_lock:
+        bucket = _login_attempts[ip]
+        # Lever le blocage si la durée est écoulée
+        if now >= bucket["blocked_until"]:
+            if now - bucket["window_start"] >= LOGIN_RATE_WINDOW:
+                bucket["count"] = 0
+                bucket["window_start"] = now
+            bucket["count"] += 1
+            count = bucket["count"]
+            if count > LOGIN_RATE_MAX:
+                bucket["blocked_until"] = now + LOGIN_BLOCK_DURATION
+                retry_after = LOGIN_BLOCK_DURATION
+                blocked = True
+            else:
+                retry_after = int(LOGIN_RATE_WINDOW - (now - bucket["window_start"]))
+                blocked = False
+        else:
+            blocked = True
+            retry_after = int(bucket["blocked_until"] - now)
+
+    if blocked:
+        resp = jsonify({"error": "Trop de tentatives. Réessayez plus tard."})
+        resp.status_code = 429
+        resp.headers["Retry-After"] = str(retry_after)
+        return resp
+    # ─────────────────────────────────────────────────────────────
+
    pw_hash = hash_password(password)
    conn = get_db()
    user = conn.execute(