feat(web): harden login gate — throttle, scoped TLS, token-derived seal key
Remediates the two web-console residuals from the 2026-07-05 posture audit: - Brute-force throttle (loginThrottle.ts): per-IP exponential backoff after 5 free attempts, plus a global floor for spread-out floods, keyed on the socket peer IP (not spoofable X-Forwarded-For) with a size-capped map. The constant-time compare already stopped the timing leak; this bounds guess *volume* against a by-design LAN-exposed console. - Session seal key now derives from the high-entropy mgmt token instead of the low-entropy login password, so a captured cookie is no longer an offline password oracle. Falls back to the password only when no token is configured (dev/local). Rotating the token now invalidates sessions. - Replace the process-wide NODE_TLS_REJECT_UNAUTHORIZED=0 with per-request Bun TLS scoped to the loopback proxy hop; a non-loopback mgmt URL now verifies normally. Dropped the env var from the systemd unit, Steam Deck installer, Windows run scripts, env examples, and web README. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,13 +1,26 @@
|
||||
// POST /_auth/login {password} — verify the shared password (constant-time), then seal an
|
||||
// authenticated session cookie. Public (allowlisted in the gate) so an unauthenticated user
|
||||
// can actually log in.
|
||||
import { createError, defineEventHandler, readBody, useSession } from "h3";
|
||||
// can actually log in. Brute force is bounded by an in-memory per-IP throttle (loginThrottle):
|
||||
// the constant-time compare stops a timing leak, the throttle stops guessing at volume.
|
||||
import {
|
||||
createError,
|
||||
defineEventHandler,
|
||||
getRequestIP,
|
||||
readBody,
|
||||
setResponseHeader,
|
||||
useSession,
|
||||
} from "h3";
|
||||
import {
|
||||
type SessionData,
|
||||
sessionConfig,
|
||||
timingSafeEqual,
|
||||
uiPassword,
|
||||
} from "../../util/auth";
|
||||
import {
|
||||
recordLoginFailure,
|
||||
recordLoginSuccess,
|
||||
throttleRetryAfterMs,
|
||||
} from "../../util/loginThrottle";
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
const expected = uiPassword();
|
||||
@@ -17,11 +30,28 @@ export default defineEventHandler(async (event) => {
|
||||
statusMessage: "auth not configured",
|
||||
});
|
||||
}
|
||||
// The socket peer address — deliberately NOT trusting X-Forwarded-For (spoofable unless we sit
|
||||
// behind a known proxy, which the packaged console does not). Falls back to a single shared bucket
|
||||
// if the address is somehow unavailable, so the throttle still applies.
|
||||
const ip = getRequestIP(event) ?? "unknown";
|
||||
|
||||
// Throttle BEFORE touching the password so a locked-out client can't keep the guess loop spinning.
|
||||
const wait = throttleRetryAfterMs(ip);
|
||||
if (wait > 0) {
|
||||
setResponseHeader(event, "Retry-After", Math.ceil(wait / 1000));
|
||||
throw createError({
|
||||
statusCode: 429,
|
||||
statusMessage: "too many attempts — try again shortly",
|
||||
});
|
||||
}
|
||||
|
||||
const body = await readBody<{ password?: string }>(event);
|
||||
const password = String(body?.password ?? "");
|
||||
if (!timingSafeEqual(password, expected)) {
|
||||
recordLoginFailure(ip);
|
||||
throw createError({ statusCode: 401, statusMessage: "invalid password" });
|
||||
}
|
||||
recordLoginSuccess(ip);
|
||||
const session = await useSession<SessionData>(event, sessionConfig());
|
||||
await session.update({ authenticated: true });
|
||||
return { ok: true };
|
||||
|
||||
@@ -9,11 +9,12 @@ import {
|
||||
proxyRequest,
|
||||
setResponseStatus,
|
||||
} from "h3";
|
||||
import { mgmtToken, mgmtUrl } from "../../util/auth";
|
||||
import { isLoopbackUrl, mgmtToken, mgmtUrl } from "../../util/auth";
|
||||
|
||||
export default defineEventHandler((event) => {
|
||||
const { pathname, search } = getRequestURL(event);
|
||||
const target = `${mgmtUrl()}${pathname}${search}`;
|
||||
const base = mgmtUrl();
|
||||
const target = `${base}${pathname}${search}`;
|
||||
const token = mgmtToken();
|
||||
// The mgmt API now requires a token always. Without one configured, forwarding an empty bearer
|
||||
// would just bounce as 401 — fail fast and legibly instead (the packaged service sources the
|
||||
@@ -25,7 +26,20 @@ export default defineEventHandler((event) => {
|
||||
"management token not configured (PUNKTFUNK_MGMT_TOKEN / ~/.config/punktfunk/mgmt-token)",
|
||||
};
|
||||
}
|
||||
// TLS scoping (replaces the old process-wide NODE_TLS_REJECT_UNAUTHORIZED=0): the host presents a
|
||||
// SELF-SIGNED, no-SAN identity cert on loopback, which normal verification rejects. We relax
|
||||
// verification ONLY for this one loopback hop, via Bun's per-request `tls` option — so any OTHER
|
||||
// outbound TLS the process ever makes still verifies normally (the global env unverified
|
||||
// everything). If the operator points PUNKTFUNK_MGMT_URL at a NON-loopback host, we do NOT relax:
|
||||
// a remote mgmt API must present a valid chain, which is stricter than the old blanket accept.
|
||||
const fetchOptions = isLoopbackUrl(base)
|
||||
? // `tls` is a Bun.fetch extension (the console runs on bun — Bun.serve/`bun .output/...`), not
|
||||
// in the standard RequestInit type, so cast through unknown.
|
||||
({ tls: { rejectUnauthorized: false } } as unknown as RequestInit)
|
||||
: undefined;
|
||||
|
||||
return proxyRequest(event, target, {
|
||||
fetchOptions,
|
||||
headers: {
|
||||
// Overwrite, not append: the host-held token replaces anything the browser sent.
|
||||
authorization: `Bearer ${token}`,
|
||||
|
||||
Reference in New Issue
Block a user