added rate limiting to identity

2025-07-03 17:12:49 -05:00 · 2017-09-28 15:01:43 -04:00
parent 1cc6fb1668
commit 0fff886357
5 changed files with 59 additions and 2 deletions
--- a/src/Identity/Startup.cs
+++ b/src/Identity/Startup.cs
@ -7,6 +7,7 @@ using Microsoft.Extensions.Configuration;
 using Bit.Core;
 using Bit.Core.Utilities;
 using Serilog.Events;
+using AspNetCoreRateLimit;

 namespace Bit.Identity
 {
@ -30,6 +31,11 @@ namespace Bit.Identity

            // Settings
            var globalSettings = services.AddGlobalSettingsServices(Configuration);
+            if(!globalSettings.SelfHosted)
+            {
+                services.Configure<IpRateLimitOptions>(Configuration.GetSection("IpRateLimitOptions"));
+                services.Configure<IpRateLimitPolicies>(Configuration.GetSection("IpRateLimitPolicies"));
+            }

            // Data Protection
            services.AddCustomDataProtectionServices(Environment, globalSettings);
@ -40,6 +46,16 @@ namespace Bit.Identity
            // Context
            services.AddScoped<CurrentContext>();

+            // Caching
+            services.AddMemoryCache();
+
+            if(!globalSettings.SelfHosted)
+            {
+                // Rate limiting
+                services.AddSingleton<IIpPolicyStore, MemoryCacheIpPolicyStore>();
+                services.AddSingleton<IRateLimitCounterStore, MemoryCacheRateLimitCounterStore>();
+            }
+
            // IdentityServer
            services.AddCustomIdentityServerServices(Environment, globalSettings);

@ -67,6 +83,11 @@ namespace Bit.Identity
                        return e.Level > LogEventLevel.Error;
                    }

+                    if(context.Contains(typeof(IpRateLimitMiddleware).FullName) && e.Level == LogEventLevel.Information)
+                    {
+                        return true;
+                    }
+
                    return e.Level >= LogEventLevel.Error;
                })
                .AddConsole()
@ -75,6 +96,12 @@ namespace Bit.Identity
            // Default Middleware
            app.UseDefaultMiddleware(env);

+            if(!globalSettings.SelfHosted)
+            {
+                // Rate limiting
+                app.UseMiddleware<CustomIpRateLimitMiddleware>();
+            }
+
            // Add IdentityServer to the request pipeline.
            app.UseIdentityServer();
        }
--- a/src/Identity/settings.json
+++ b/src/Identity/settings.json
@ -47,5 +47,35 @@
      "publicKey": "SECRET",
      "privateKey": "SECRET"
    }
+  },
+  "IpRateLimitOptions": {
+    "EnableEndpointRateLimiting": true,
+    "StackBlockedRequests": false,
+    "RealIpHeader": "CF-Connecting-IP",
+    "ClientIdHeader": "X-ClientId",
+    "HttpStatusCode": 429,
+    "IpWhitelist": [],
+    "EndpointWhitelist": [],
+    "ClientWhitelist": [],
+    "GeneralRules": [
+      {
+        "Endpoint": "*",
+        "Period": "1m",
+        "Limit": 60
+      },
+      {
+        "Endpoint": "*",
+        "Period": "1s",
+        "Limit": 5
+      },
+      {
+        "Endpoint": "post:/connect/token",
+        "Period": "1m",
+        "Limit": 10
+      }
+    ]
+  },
+  "IpRateLimitPolicies": {
+    "IpRules": []
  }
 }