🚀 Feature: rate limit brute force protection #57

New Issue

Closed

opened 2025-10-07 23:51:12 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2025-10-07 23:51:12 +03:00

Owner

Copy Link

Originally created by @lordraiden on GitHub.

Feature description

A determined attacker can spam the /api/webauthn/login/finish endpoint with millions of crafted assertions, trying to:trigger the passkey device repeatedly (DoS against the user’s phone/YubiKey), orfind implementation bugs (signature malleability, TOFU downgrades, etc.)

With a SQLite backend by default each failed assertion = 1 DB write. A trivial for loop can fill the disk or exhaust IOPS.

Current code ( backend/internal/handler/webauthn.go ) returns 400/401 on failure but does not count or block. No metrics, no logs with IP/user correlation.

Pitch

This is the technical proposal of AI in case it could be helpful

https://chatgpt.com/s/t_68b1c2af33f08191a31f4625b54dc757

Originally created by @lordraiden on GitHub. ### Feature description A determined attacker can spam the /api/webauthn/login/finish endpoint with millions of crafted assertions, trying to:trigger the passkey device repeatedly (DoS against the user’s phone/YubiKey), orfind implementation bugs (signature malleability, TOFU downgrades, etc.) With a SQLite backend by default each failed assertion = 1 DB write. A trivial for loop can fill the disk or exhaust IOPS. Current code ( backend/internal/handler/webauthn.go ) returns 400/401 on failure but does not count or block. No metrics, no logs with IP/user correlation. ### Pitch This is the technical proposal of AI in case it could be helpful https://chatgpt.com/s/t_68b1c2af33f08191a31f4625b54dc757

OVERLORD closed this issue 2025-10-07 23:51:12 +03:00

OVERLORD commented 2025-10-07 23:51:14 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

We already have a global rate limiter and specific limits for critical endpoints. See here:
4a1e116b81/backend/internal/controller/webauthn_controller.go (L24)

@stonith404 commented on GitHub: We already have a global rate limiter and specific limits for critical endpoints. See here: https://github.com/pocket-id/pocket-id/blob/4a1e116b814b2ca6d7b8728b40db2e86f3482ee5/backend/internal/controller/webauthn_controller.go#L24

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

oidc-scopes

breaking/v2

i18n_crowdin

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#57