Implement IP-based rate limiting for password attempts

Co-authored-by: erikdubbelboer <522870+erikdubbelboer@users.noreply.github.com>

Author: Copilot

features/password-rate-limiting.feature

@@ -0,0 +1,41 @@
+Feature: Rate limiting for password attempts
+
+  Background:
+    Given the "signaling" backend is running
+
+  Scenario: Rate limiting blocks too many password attempts from same IP
+    Given "blue" is connected as "1u8fw4aph5ypt" and ready for game "4307bd86-e1df-41b8-b9df-e22afcf084bd"
+    And "yellow" is connected as "h5yzwyizlwao" and ready for game "4307bd86-e1df-41b8-b9df-e22afcf084bd"
+    And "blue" creates a lobby with these settings:
+      """json
+      {
+        "password": "foobar"
+      }
+      """
+    And "blue" receives the network event "lobby" with the argument "19yrzmetd2bn7"
+
+    # Make several failed password attempts
+    When "yellow" tries to connect to the lobby "19yrzmetd2bn7" with the password "wrong1"
+    Then "yellow" failed to join the lobby
+    And the latest error for "yellow" is "invalid password"
+
+    When "yellow" tries to connect to the lobby "19yrzmetd2bn7" with the password "wrong2"
+    Then "yellow" failed to join the lobby
+    And the latest error for "yellow" is "invalid password"
+
+    When "yellow" tries to connect to the lobby "19yrzmetd2bn7" with the password "wrong3"
+    Then "yellow" failed to join the lobby
+    And the latest error for "yellow" is "invalid password"
+
+    When "yellow" tries to connect to the lobby "19yrzmetd2bn7" with the password "wrong4"
+    Then "yellow" failed to join the lobby
+    And the latest error for "yellow" is "invalid password"
+
+    When "yellow" tries to connect to the lobby "19yrzmetd2bn7" with the password "wrong5"
+    Then "yellow" failed to join the lobby
+    And the latest error for "yellow" is "invalid password"
+
+    # The 6th attempt should be rate limited
+    When "yellow" tries to connect to the lobby "19yrzmetd2bn7" with the password "wrong6"
+    Then "yellow" failed to join the lobby
+    And the latest error for "yellow" is "too many password attempts"

internal/signaling/handler.go

@@ -26,6 +26,9 @@ func Handler(ctx context.Context, store stores.Store, cloudflare *cloudflare.Cre
 	}
 	go manager.Run(ctx)
 
+	// Create rate limiter for password attempts: 5 attempts per 15 minutes per IP
+	passwordRateLimiter := util.NewPasswordRateLimiter(5, 15*time.Minute)
+
 	go func() {
 		logger := logging.GetLogger(ctx)
 		ticker := time.NewTicker(LobbyCleanInterval)
@@ -43,12 +46,24 @@ func Handler(ctx context.Context, store stores.Store, cloudflare *cloudflare.Cre
 		}
 	}()
 
+	// Close rate limiter when context is done
+	go func() {
+		<-ctx.Done()
+		passwordRateLimiter.Close()
+	}()
+
 	wg := &sync.WaitGroup{}
 	return wg, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		ctx := r.Context()
 		logger := logging.GetLogger(ctx)
 		logger.Debug("upgrading connection")
 
+		// Extract remote address for rate limiting
+		remoteAddr := r.RemoteAddr
+		if r.Header.Get("X-Forwarded-For") != "" {
+			remoteAddr = strings.TrimSpace(strings.Split(r.Header.Get("X-Forwarded-For"), ",")[0])
+		}
+
 		ctx, cancel := context.WithCancel(ctx)
 		defer cancel()
 
@@ -69,6 +84,8 @@ func Handler(ctx context.Context, store stores.Store, cloudflare *cloudflare.Cre
 			conn:  conn,
 
 			retrievedIDCallback: manager.Reconnected,
+			rateLimiter:         passwordRateLimiter,
+			remoteAddr:          remoteAddr,
 		}
 		defer func() {
 			logger.Info("peer websocket closed", zap.String("peer", peer.ID), zap.String("game", peer.Game), zap.String("origin", r.Header.Get("Origin")))

internal/signaling/peer.go

@@ -26,6 +26,8 @@ type Peer struct {
 	closedPacketReceived bool
 
 	retrievedIDCallback func(context.Context, string, string, string) (bool, []string, error)
+	rateLimiter         *util.PasswordRateLimiter
+	remoteAddr          string
 
 	ID     string
 	Secret string
@@ -460,12 +462,27 @@ func (p *Peer) HandleJoinPacket(ctx context.Context, packet JoinPacket) error {
 		return fmt.Errorf("lobby code too long")
 	}
 
+	// Check rate limit for password attempts if rate limiter is available
+	if p.rateLimiter != nil {
+		logger.Debug("checking rate limit", zap.String("remote_addr", p.remoteAddr))
+		if !p.rateLimiter.IsAllowed(ctx, p.remoteAddr) {
+			logger.Warn("rate limit exceeded for password attempt", zap.String("remote_addr", p.remoteAddr))
+			util.ReplyError(ctx, p.conn, util.ErrorWithCode(fmt.Errorf("too many password attempts"), "rate-limited"))
+			return nil
+		}
+	}
+
 	err := p.store.JoinLobby(ctx, p.Game, packet.Lobby, p.ID, packet.Password)
 	if err != nil {
 		if err == stores.ErrNotFound {
 			util.ReplyError(ctx, p.conn, util.ErrorWithCode(err, "lobby-not-found"))
 			return nil
 		} else if err == stores.ErrInvalidPassword {
+			// Record failed password attempt for rate limiting
+			if p.rateLimiter != nil {
+				logger.Debug("recording failed password attempt", zap.String("remote_addr", p.remoteAddr))
+				p.rateLimiter.RecordFailedAttempt(ctx, p.remoteAddr)
+			}
 			util.ReplyError(ctx, p.conn, util.ErrorWithCode(err, "invalid-password"))
 			return nil
 		} else if err == stores.ErrLobbyIsFull {

internal/util/ratelimit.go

@@ -0,0 +1,143 @@
+package util
+
+import (
+	"context"
+	"sync"
+	"time"
+)
+
+// GetRemoteAddr extracts the remote IP address from context 
+// This duplicates the logic from metrics package to avoid circular imports
+func GetRemoteAddr(ctx context.Context) string {
+	// Use the same context key pattern as metrics package
+	type metricsContextKey int
+	remoteAddrKey := metricsContextKey(1)
+	
+	if addr, ok := ctx.Value(remoteAddrKey).(string); ok {
+		return addr
+	}
+	return ""
+}
+
+// PasswordRateLimiter provides simple IP-based rate limiting for password attempts
+type PasswordRateLimiter struct {
+	mu            sync.RWMutex
+	attempts      map[string][]time.Time
+	maxAttempts   int
+	windowSize    time.Duration
+	cleanupTicker *time.Ticker
+	done          chan bool
+}
+
+// NewPasswordRateLimiter creates a new rate limiter for password attempts
+// maxAttempts: maximum password attempts allowed per IP in the time window
+// windowSize: time window for counting attempts (e.g., 15 minutes)
+func NewPasswordRateLimiter(maxAttempts int, windowSize time.Duration) *PasswordRateLimiter {
+	rl := &PasswordRateLimiter{
+		attempts:    make(map[string][]time.Time),
+		maxAttempts: maxAttempts,
+		windowSize:  windowSize,
+		done:        make(chan bool),
+	}
+
+	// Start cleanup routine to prevent memory leaks
+	rl.cleanupTicker = time.NewTicker(windowSize)
+	go rl.cleanup()
+
+	return rl
+}
+
+// IsAllowed checks if a password attempt from the given IP is allowed
+// Returns true if attempt is allowed, false if rate limited
+func (rl *PasswordRateLimiter) IsAllowed(ctx context.Context, remoteAddr string) bool {
+	if remoteAddr == "" {
+		return true // Allow if we can't determine IP
+	}
+
+	rl.mu.RLock()
+	attempts, exists := rl.attempts[remoteAddr]
+	rl.mu.RUnlock()
+
+	if !exists {
+		return true
+	}
+
+	now := time.Now()
+	cutoff := now.Add(-rl.windowSize)
+
+	// Count valid attempts within window
+	validAttempts := 0
+	for _, attemptTime := range attempts {
+		if attemptTime.After(cutoff) {
+			validAttempts++
+		}
+	}
+
+	return validAttempts < rl.maxAttempts
+}
+
+// RecordFailedAttempt records a failed password attempt for the given IP
+func (rl *PasswordRateLimiter) RecordFailedAttempt(ctx context.Context, remoteAddr string) {
+	if remoteAddr == "" {
+		return // Nothing to record if we can't determine IP
+	}
+
+	rl.mu.Lock()
+	defer rl.mu.Unlock()
+
+	now := time.Now()
+	cutoff := now.Add(-rl.windowSize)
+
+	// Clean up old attempts for this IP and add new one
+	attempts := rl.attempts[remoteAddr]
+	validAttempts := make([]time.Time, 0, len(attempts)+1)
+
+	// Keep only recent attempts
+	for _, attemptTime := range attempts {
+		if attemptTime.After(cutoff) {
+			validAttempts = append(validAttempts, attemptTime)
+		}
+	}
+
+	// Add current attempt
+	validAttempts = append(validAttempts, now)
+	rl.attempts[remoteAddr] = validAttempts
+}
+
+// cleanup periodically removes old entries to prevent memory leaks
+func (rl *PasswordRateLimiter) cleanup() {
+	for {
+		select {
+		case <-rl.cleanupTicker.C:
+			rl.mu.Lock()
+			now := time.Now()
+			cutoff := now.Add(-rl.windowSize)
+
+			for ip, attempts := range rl.attempts {
+				validAttempts := make([]time.Time, 0, len(attempts))
+				for _, attemptTime := range attempts {
+					if attemptTime.After(cutoff) {
+						validAttempts = append(validAttempts, attemptTime)
+					}
+				}
+
+				if len(validAttempts) == 0 {
+					delete(rl.attempts, ip)
+				} else {
+					rl.attempts[ip] = validAttempts
+				}
+			}
+			rl.mu.Unlock()
+		case <-rl.done:
+			return
+		}
+	}
+}
+
+// Close stops the cleanup routine
+func (rl *PasswordRateLimiter) Close() {
+	if rl.cleanupTicker != nil {
+		rl.cleanupTicker.Stop()
+	}
+	close(rl.done)
+}