Implement critical security improvements for authentication

This commit addresses several security vulnerabilities in the authentication and authorization system: 1. JWT Encoding Panic Fix (Critical) - Replace .unwrap() with proper error handling in JWT token generation - Prevents server crashes from encoding failures - Returns HTTP 500 with error logging instead of panicking 2. Rate Limiting for Login Endpoint (Critical) - Add actix-governor dependency (v0.5) - Configure rate limiter: 2 requests/sec with burst of 5 - Protects against brute-force authentication attacks 3. Strengthen Password Requirements - Minimum length increased from 6 to 12 characters - Require uppercase, lowercase, numeric, and special characters - Add comprehensive validation with clear error messages 4. Fix Token Parsing Vulnerability - Replace unsafe split().last().unwrap_or() pattern - Use strip_prefix() for proper Bearer token validation - Return InvalidToken error for malformed Authorization headers 5. Improve Authentication Logging - Sanitize error messages to avoid leaking user existence - Change from "User not found or incorrect password" to "Failed login attempt" All changes tested and verified with existing test suite (65/65 tests passing). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-26 23:53:54 -05:00
parent a2f2d4de5c
commit 2c52cffd65
5 changed files with 184 additions and 17 deletions
--- a/src/main.rs
+++ b/src/main.rs
@@ -21,6 +21,7 @@ use walkdir::{DirEntry, WalkDir};

 use actix_cors::Cors;
 use actix_files::NamedFile;
+use actix_governor::{Governor, GovernorConfigBuilder};
 use actix_multipart as mp;
 use actix_web::{
    App, HttpRequest, HttpResponse, HttpServer, Responder, delete, get, middleware, post, put,
@@ -760,10 +761,21 @@ fn main() -> std::io::Result<()> {
                .supports_credentials()
                .max_age(3600);

+            // Configure rate limiting for login endpoint (2 requests/sec, burst of 5)
+            let governor_conf = GovernorConfigBuilder::default()
+                .per_second(2)
+                .burst_size(5)
+                .finish()
+                .unwrap();
+
            App::new()
                .wrap(middleware::Logger::default())
                .wrap(cors)
-                .service(web::resource("/login").route(web::post().to(login::<SqliteUserDao>)))
+                .service(
+                    web::resource("/login")
+                        .wrap(Governor::new(&governor_conf))
+                        .route(web::post().to(login::<SqliteUserDao>)),
+                )
                .service(
                    web::resource("/photos")
                        .route(web::get().to(files::list_photos::<SqliteTagDao, RealFileSystem>)),