infrastructure/mox
1
0
Fork 0
mirror of https://github.com/mjl-/mox.git synced 2025-06-28 05:08:14 +03:00
Code Issues Packages Projects Releases Wiki Activity

when registering login attempts, use X-Forwarded-For header for finding the IP address

Browse Source 
Which we already did for the rate limiting.

Hopefully solves issue #338.
This commit is contained in:
Mechiel Lukkien 2025-04-22 09:05:34 +02:00
parent ee99e82cf4
commit baacdbca18
No known key found for this signature in database
2 changed files with 5 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
webapisrv/server.go
View File

@ -18,7 +18,6 @@ import (
"log/slog" "log/slog"
"mime" "mime"
"mime/multipart" "mime/multipart"
"net"
"net/http" "net/http"
"net/textproto" "net/textproto"
"os" "os"
@ -422,7 +421,7 @@ func (s server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
log.Check(werr, "writing error response") log.Check(werr, "writing error response")
} }
la := loginAttempt(r, "webapi", "httpbasic") la := loginAttempt(remoteIP.String(), r, "webapi", "httpbasic")
la.LoginAddress = email la.LoginAddress = email
defer func() { defer func() {
store.LoginAttemptAdd(context.Background(), log, la) store.LoginAttemptAdd(context.Background(), log, la)
@ -530,12 +529,7 @@ func (s server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// loginAttempt initializes a store.LoginAttempt, for adding to the store after // loginAttempt initializes a store.LoginAttempt, for adding to the store after
// filling in the results and other details. // filling in the results and other details.
func loginAttempt(r *http.Request, protocol, authMech string) store.LoginAttempt { func loginAttempt(remoteIP string, r *http.Request, protocol, authMech string) store.LoginAttempt {
remoteIP, _, _ := net.SplitHostPort(r.RemoteAddr)
if remoteIP == "" {
remoteIP = r.RemoteAddr
}
return store.LoginAttempt{ return store.LoginAttempt{
RemoteIP: remoteIP, RemoteIP: remoteIP,
TLS: store.LoginAttemptTLS(r.TLS), TLS: store.LoginAttemptTLS(r.TLS),

11
webauth/webauth.go
View File

@ -80,12 +80,7 @@ type SessionAuth interface {
} }
// loginAttempt initializes a loginAttempt, for adding to the store after filling in the results and other details. // loginAttempt initializes a loginAttempt, for adding to the store after filling in the results and other details.
func loginAttempt(r *http.Request, protocol, authMech string) store.LoginAttempt { func loginAttempt(remoteIP string, r *http.Request, protocol, authMech string) store.LoginAttempt {
remoteIP, _, _ := net.SplitHostPort(r.RemoteAddr)
if remoteIP == "" {
remoteIP = r.RemoteAddr
}
return store.LoginAttempt{ return store.LoginAttempt{
RemoteIP: remoteIP, RemoteIP: remoteIP,
TLS: store.LoginAttemptTLS(r.TLS), TLS: store.LoginAttemptTLS(r.TLS),
@ -163,7 +158,7 @@ func Check(ctx context.Context, log mlog.Log, sessionAuth SessionAuth, kind stri
return return
} }
la := loginAttempt(r, kind, "websession") la := loginAttempt(ip.String(), r, kind, "websession")
defer func() { defer func() {
store.LoginAttemptAdd(context.Background(), log, la) store.LoginAttemptAdd(context.Background(), log, la)
}() }()
@ -271,7 +266,7 @@ func Login(ctx context.Context, log mlog.Log, sessionAuth SessionAuth, kind, coo
username = norm.NFC.String(username) username = norm.NFC.String(username)
valid, disabled, accountName, err := sessionAuth.login(ctx, log, username, password) valid, disabled, accountName, err := sessionAuth.login(ctx, log, username, password)
la := loginAttempt(r, kind, "weblogin") la := loginAttempt(ip.String(), r, kind, "weblogin")
la.LoginAddress = username la.LoginAddress = username
la.AccountName = accountName la.AccountName = accountName
defer func() { defer func() {