pierrelf.com / grain
Rust implementation of OCI Distribution Spec with granular access control
fork atom

Add rate limiting to authentication endpoints #2

open opened by pierrelf.com

Problem#

There is no rate limiting on authentication attempts. The production metrics already track grain_auth_failures_total, and the metrics endpoint reveals significant reconnaissance traffic (probes for .env, .git/config, wp-login.php, etc.). A brute-force attack against the Basic Auth credentials would be unthrottled.

Proposed Solution#

  • Add per-IP rate limiting middleware for authenticated endpoints (especially /v2/)
  • Consider using tower::limit or a dedicated rate limiting crate like governor
  • Configurable limits via CLI args (e.g., --auth-rate-limit 10/minute)
  • Return 429 Too Many Requests with Retry-After header when limit is exceeded
  • Add a grain_rate_limited_total Prometheus counter

Alternatives#

  • Could rely on reverse proxy (Caddy) for rate limiting, but defense-in-depth is preferred
  • IP-based limiting may not work well behind proxies without X-Forwarded-For handling
sign up or login to add to the discussion
Labels

None yet.

assignee

None yet.

Participants 1
AT URI
at://did:plc:meotu43t6usg4qdwzenk4s2t/sh.tangled.repo.issue/3mfkg6jkoso2c