Rate limit per IP the number of login attempt

2025-12-18 14:34:23 +01:00 · 2018-08-25 20:28:46 +09:00
parent 6c51d83f61
commit 023913a852
5 changed files with 21 additions and 0 deletions
--- a/BTCPayServer/BTCPayServer.csproj
+++ b/BTCPayServer/BTCPayServer.csproj
@@ -49,6 +49,7 @@
    <PackageReference Include="NBXplorer.Client" Version="1.0.2.18" />
    <PackageReference Include="NicolasDorier.CommandLine" Version="1.0.0.2" />
    <PackageReference Include="NicolasDorier.CommandLine.Configuration" Version="1.0.0.3" />
+    <PackageReference Include="NicolasDorier.RateLimits" Version="1.0.0.3" />
    <PackageReference Include="NicolasDorier.StandardConfiguration" Version="1.0.0.17" />
    <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="2.1.0" />
    <PackageReference Include="SSH.NET" Version="2016.1.0" />
--- a/BTCPayServer/Controllers/AccountController.cs
+++ b/BTCPayServer/Controllers/AccountController.cs
@@ -18,6 +18,7 @@ using BTCPayServer.Services.Stores;
 using BTCPayServer.Logging;
 using BTCPayServer.Security;
 using System.Globalization;
+using NicolasDorier.RateLimits;

 namespace BTCPayServer.Controllers
 {
@@ -70,6 +71,7 @@ namespace BTCPayServer.Controllers
        [HttpPost]
        [AllowAnonymous]
        [ValidateAntiForgeryToken]
+        [RateLimitsFilter(ZoneLimits.Login, Scope = RateLimitsScope.RemoteAddress)]
        public async Task<IActionResult> Login(LoginViewModel model, string returnUrl = null)
        {
            ViewData["ReturnUrl"] = returnUrl;
--- a/BTCPayServer/Hosting/BTCPayServerServices.cs
+++ b/BTCPayServer/Hosting/BTCPayServerServices.cs
@@ -41,6 +41,7 @@ using System.Security.Claims;
 using BTCPayServer.Security;
 using Microsoft.AspNetCore.Mvc.ModelBinding;
 using NBXplorer.DerivationStrategy;
+using NicolasDorier.RateLimits;

 namespace BTCPayServer.Hosting
 {
@@ -165,6 +166,10 @@ namespace BTCPayServer.Hosting
            {
                options.AddPolicy(CorsPolicies.All, p=>p.AllowAnyHeader().AllowAnyMethod().AllowAnyOrigin());
            });
+
+            var rateLimits = new RateLimitService();
+            rateLimits.SetZone($"zone={ZoneLimits.Login} rate=5r/min burst=3 nodelay");
+            services.AddSingleton(rateLimits);
            return services;
        }

--- a/BTCPayServer/Hosting/Startup.cs
+++ b/BTCPayServer/Hosting/Startup.cs
@@ -166,6 +166,7 @@ namespace BTCPayServer.Hosting
                Authorization = new[] { new NeedRole(Roles.ServerAdmin) }
            });
            app.UseWebSockets();
+            app.UseStatusCodePages();
            app.UseMvc(routes =>
            {
                routes.MapRoute(
--- a/BTCPayServer/ZoneLimits.cs
+++ b/BTCPayServer/ZoneLimits.cs
@@ -0,0 +1,12 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+
+namespace BTCPayServer
+{
+    public class ZoneLimits
+    {
+        public const string Login = "btcpaylogin";
+    }
+}