Set login rate limiting before comparing credentials, added log entry for successful login #359

Forceu · Forceu · commit 81311b2c5fdb · 2026-03-01T14:32:27.000+01:00
diff --git a/internal/logging/Logging.go b/internal/logging/Logging.go
@@ -270,6 +270,11 @@ func LogInvalidLogin(username, ip string) {
 	createLogEntry(categoryAuth, fmt.Sprintf("Invalid login for user %s by IP %s", username, ip), false)
 }
 
+// LogValidLogin adds a log entry to indicate that a login was successful. Non-blocking
+func LogValidLogin(username string) {
+	createLogEntry(categoryAuth, fmt.Sprintf("%s logged in sucessfully", username), false)
+}
+
 // LogDownload adds a log entry when a download was requested. Non-Blocking
 func LogDownload(file models.File, r *http.Request, saveIp bool) {
 	if saveIp {
diff --git a/internal/webserver/Webserver.go b/internal/webserver/Webserver.go
@@ -511,15 +511,16 @@ func showLogin(w http.ResponseWriter, r *http.Request) {
 	pw := r.Form.Get("password")
 	failedLogin := false
 	if pw != "" && user != "" {
+		ip := logging.GetIpAddress(r)
+		ratelimiter.WaitOnLogin(ip)
 		retrievedUser, validCredentials := authentication.IsCorrectUsernameAndPassword(user, pw)
 		if validCredentials {
+			logging.LogValidLogin(user)
 			sessionmanager.CreateSession(w, false, 0, retrievedUser.Id)
 			redirect(w, "admin")
 			return
 		}
-		ip := logging.GetIpAddress(r)
 		logging.LogInvalidLogin(user, ip)
-		ratelimiter.WaitOnFailedLogin(ip)
 		failedLogin = true
 	}
 	err = templateFolder.ExecuteTemplate(w, "login", LoginView{
diff --git a/internal/webserver/ratelimiter/RateLimiter.go b/internal/webserver/ratelimiter/RateLimiter.go
@@ -31,10 +31,10 @@ func newLimiter() *store {
 	}
 }
 
-// WaitOnFailedLogin blocks the current goroutine until the rate limiter allows a request
-// Two failed attempts without limiting, thereafter one attempt every 3 seconds
-func WaitOnFailedLogin(ip string) {
-	_ = failedLoginLimiter.Get(ip, 1, 6).WaitN(context.Background(), 3)
+// WaitOnLogin blocks the current goroutine until the rate limiter allows a request
+// Three attempts without limiting, thereafter one attempt every 3 seconds
+func WaitOnLogin(ip string) {
+	_ = failedLoginLimiter.Get(ip, 1, 9).WaitN(context.Background(), 3)
 }
 
 // WaitOnFailedId blocks the current goroutine until the rate limiter allows a request

Original file line number	Diff line number	Diff line change
`@@ -31,10 +31,10 @@ func newLimiter() *store {`
`31`	`31`	`}`
`32`	`32`	`}`
`33`	`33`
`34`		`-// WaitOnFailedLogin blocks the current goroutine until the rate limiter allows a request`
`35`		`-// Two failed attempts without limiting, thereafter one attempt every 3 seconds`
`36`		`-func WaitOnFailedLogin(ip string) {`
`37`		`- _ = failedLoginLimiter.Get(ip, 1, 6).WaitN(context.Background(), 3)`
	`34`	`+// WaitOnLogin blocks the current goroutine until the rate limiter allows a request`
	`35`	`+// Three attempts without limiting, thereafter one attempt every 3 seconds`
	`36`	`+func WaitOnLogin(ip string) {`
	`37`	`+ _ = failedLoginLimiter.Get(ip, 1, 9).WaitN(context.Background(), 3)`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`// WaitOnFailedId blocks the current goroutine until the rate limiter allows a request`