feat(middlewares): tokenized bucket rate limit (#8321)

This adds rate limits to the TOTP second factor endpoint, the Duo second factor endpoint, Session Elevation endpoint, and the Reset Password endpoint. This protection exists as several configurable tokenized buckets anchored to the users remote IP address. In the event the rate limit is exceeded by the user the middleware will respond with a 429 status, a Retry-After header, and JSON body indicating it's rate limited, which the UI will gracefully handle. This has several benefits that compliment the 1FA regulation, specifically in simple architectures it limits the number of SMTP sends a unique client can make, as well as the number of requests a particular client can make in general on specific endpoints where too many requests may indicate either a fault or some form of abuse. Closes #7353, Closes #1947 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
author: James Elliott <james-d-elliott@users.noreply.github.com> 2025-03-01 14:28:19 +1100
committer: GitHub <noreply@github.com> 2025-03-01 03:28:19 +0000
commit: ef5051b0c3b55349e5be4026131ef22844a729a9 (patch)
tree: 7d969bac1ed2ec997266409fbd9617293e1f54ad /api
parent: 178c7475ff7b6031928c3b63d2cbb8f5b3ad8961 (diff)
1 files changed, 78 insertions, 0 deletions
diff --git a/api/openapi.yml b/api/openapi.yml
index 2c8ac69ff..eb15d39f3 100644
--- a/api/openapi.yml
+++ b/api/openapi.yml
@@ -588,6 +588,18 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/middlewares.Response.OK'
+        "429":
+          description: Too Many Requests
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/middlewares.Response.KO'
+          headers:
+            Retry-After:
+              schema:
+                type: string
+                format: http-date
+              description: The date time that the request can be retried.
       security:
         - authelia_auth: []
   /api/reset-password/identity/finish:
@@ -614,6 +626,18 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/middlewares.Response.OK'
+        "429":
+          description: Too Many Requests
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/middlewares.Response.KO'
+          headers:
+            Retry-After:
+              schema:
+                type: string
+                format: http-date
+              description: The date time that the request can be retried.
       security:
         - authelia_auth: []
   /api/reset-password:
@@ -639,6 +663,18 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/middlewares.Response.OK'
+        "429":
+          description: Too Many Requests
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/middlewares.Response.KO'
+          headers:
+            Retry-After:
+              schema:
+                type: string
+                format: http-date
+              description: The date time that the request can be retried.
       security:
         - authelia_auth: []
     delete:
@@ -661,6 +697,18 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/middlewares.Response.API'
+        "429":
+          description: Too Many Requests
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/middlewares.Response.KO'
+          headers:
+            Retry-After:
+              schema:
+                type: string
+                format: http-date
+              description: The date time that the request can be retried.
       security:
         - authelia_auth: []
   {{- end }}
@@ -984,6 +1032,18 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/middlewares.Response.KO'
+        "429":
+          description: Too Many Requests
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/middlewares.Response.KO'
+          headers:
+            Retry-After:
+              schema:
+                type: string
+                format: http-date
+              description: The date time that the request can be retried.
       security:
         - authelia_auth: []
     delete:
@@ -1254,6 +1314,18 @@ paths:
                 $ref: '#/components/schemas/handlers.redirectResponse'
         "401":
           description: Unauthorized
+        "429":
+          description: Too Many Requests
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/middlewares.Response.KO'
+          headers:
+            Retry-After:
+              schema:
+                type: string
+                format: http-date
+              description: The date time that the request can be retried.
       security:
         - authelia_auth: []
   /api/secondfactor/duo_devices:
@@ -1713,6 +1785,12 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
+          headers:
+            Retry-After:
+              schema:
+                type: string
+                format: http-date
+              description: The date time that the request can be retried.
         "500":
           description: Internal Server Error
           content:
author	James Elliott <james-d-elliott@users.noreply.github.com>	2025-03-01 14:28:19 +1100
committer	GitHub <noreply@github.com>	2025-03-01 03:28:19 +0000
commit	ef5051b0c3b55349e5be4026131ef22844a729a9 (patch)
tree	7d969bac1ed2ec997266409fbd9617293e1f54ad /api
parent	178c7475ff7b6031928c3b63d2cbb8f5b3ad8961 (diff)