feat: add per-endpoint rate limiting for sensitive operations (PENTEST-04)
New EndpointRateLimiter in session.rs tracks requests per (method, IP) with configurable limits and time windows: Financial operations (5 req/5min): - wallet.send, lnd.sendcoins, lnd.payinvoice, lnd.create-psbt, lnd.finalize-psbt, wallet.ecash-send Channel operations (3 req/5min): - lnd.openchannel, lnd.closechannel Backup operations (2-3 req/10min): - backup.create, backup.restore Container/package installs (5 req/5min): - container-install, package.install System operations (2 req/5min): - system.reboot, system.shutdown, update.apply Identity/auth (3-10 req/5min): - identity.create, identity.issue-credential, auth.changePassword Returns HTTP 429 with Retry-After header when limits exceeded. Verified on live server: auth.changePassword blocks at 4th request, lnd.sendcoins blocks at 6th request. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -370,7 +370,7 @@
|
||||
|
||||
- [x] **PENTEST-03** — Harden Podman container isolation. Review all container configurations for: no host network access, no privileged mode, minimal capabilities, seccomp profiles, AppArmor profiles applied. Generate and apply AppArmor profiles for each app. **Acceptance**: All containers run with minimal privileges.
|
||||
|
||||
- [ ] **PENTEST-04** — Add rate limiting to all sensitive endpoints. Extend rate limiting beyond login: add rate limits to `identity.create`, `wallet.*`, `backup.create`, `update.apply`, `container-install`. Configurable per-endpoint. **Acceptance**: Rate-limited endpoints return 429 when exceeded.
|
||||
- [x] **PENTEST-04** — Add rate limiting to all sensitive endpoints. Extend rate limiting beyond login: add rate limits to `identity.create`, `wallet.*`, `backup.create`, `update.apply`, `container-install`. Configurable per-endpoint. **Acceptance**: Rate-limited endpoints return 429 when exceeded.
|
||||
|
||||
#### Sprint 31: End-to-End Quality Assurance (Week 5-8)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user