Add IP-based rate limiting for password attempts

Copilot · erikdubbelboer · Copilot · commit c7dfb25fd20b · 2025-08-20T23:11:02.000Z
Co-authored-by: erikdubbelboer &lt;522870+erikdubbelboer@users.noreply.github.com&gt;
diff --git a/internal/util/config_test.go b/internal/util/config_test.go
@@ -0,0 +1,63 @@
+package util
+
+import (
+	"context"
+	"testing"
+	"time"
+)
+
+func TestPasswordRateLimiter_Configuration(t *testing.T) {
+	// Test that different configurations work
+	tests := []struct {
+		name        string
+		maxAttempts int
+		windowSize  time.Duration
+		attempts    int
+		shouldBlock bool
+	}{
+		{
+			name:        "strict limit - 2 attempts per minute",
+			maxAttempts: 2,
+			windowSize:  time.Minute,
+			attempts:    2,
+			shouldBlock: true,
+		},
+		{
+			name:        "lenient limit - 10 attempts per minute",
+			maxAttempts: 10,
+			windowSize:  time.Minute,
+			attempts:    5,
+			shouldBlock: false,
+		},
+		{
+			name:        "very strict - 1 attempt per minute",
+			maxAttempts: 1,
+			windowSize:  time.Minute,
+			attempts:    1,
+			shouldBlock: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			rl := NewPasswordRateLimiter(tt.maxAttempts, tt.windowSize)
+			defer rl.Close()
+
+			ctx := context.Background()
+			ip := "192.168.1.100"
+
+			// Record the specified number of attempts
+			for i := 0; i < tt.attempts; i++ {
+				rl.RecordFailedAttempt(ctx, ip)
+			}
+
+			// Check if next attempt should be blocked
+			allowed := rl.IsAllowed(ctx, ip)
+			blocked := !allowed
+
+			if blocked != tt.shouldBlock {
+				t.Errorf("Expected blocked=%v but got blocked=%v", tt.shouldBlock, blocked)
+			}
+		})
+	}
+}
