mirror of
https://github.com/foss42/apidash.git
synced 2025-12-05 20:40:02 +08:00
127 lines
3.6 KiB
Dart
127 lines
3.6 KiB
Dart
/// Rate limiter for OAuth2 authentication attempts
|
|
/// Implements exponential backoff to prevent abuse and brute force attacks
|
|
class OAuth2RateLimiter {
|
|
static final Map<String, _RateLimitState> _states = {};
|
|
|
|
// Maximum attempts before lockout
|
|
static const int _maxAttempts = 5;
|
|
|
|
// Initial delay after first failure (in seconds)
|
|
static const int _initialDelay = 2;
|
|
|
|
// Maximum delay (in seconds)
|
|
static const int _maxDelay = 300; // 5 minutes
|
|
|
|
// Time window for reset (in minutes)
|
|
static const int _resetWindow = 30;
|
|
|
|
/// Check if an OAuth operation can proceed
|
|
/// Returns null if allowed, or DateTime when the operation can be retried
|
|
static DateTime? canProceed(String key) {
|
|
final state = _states[key];
|
|
|
|
if (state == null) {
|
|
// First attempt, no restrictions
|
|
return null;
|
|
}
|
|
|
|
final now = DateTime.now();
|
|
|
|
// Check if we should reset the counter (time window passed)
|
|
if (now.difference(state.firstAttempt).inMinutes >= _resetWindow) {
|
|
_states.remove(key);
|
|
return null;
|
|
}
|
|
|
|
// Check if we're in cooldown period
|
|
if (state.nextAttemptAt != null && now.isBefore(state.nextAttemptAt!)) {
|
|
return state.nextAttemptAt;
|
|
}
|
|
|
|
// Check if max attempts exceeded
|
|
if (state.attemptCount >= _maxAttempts) {
|
|
// Calculate next allowed attempt with exponential backoff
|
|
final delaySeconds = _calculateDelay(state.attemptCount);
|
|
final nextAttempt = state.lastAttempt.add(Duration(seconds: delaySeconds));
|
|
|
|
if (now.isBefore(nextAttempt)) {
|
|
return nextAttempt;
|
|
}
|
|
}
|
|
|
|
return null;
|
|
}
|
|
|
|
/// Record a failed authentication attempt
|
|
static void recordFailure(String key) {
|
|
final now = DateTime.now();
|
|
final state = _states[key];
|
|
|
|
if (state == null) {
|
|
_states[key] = _RateLimitState(
|
|
firstAttempt: now,
|
|
lastAttempt: now,
|
|
attemptCount: 1,
|
|
nextAttemptAt: null,
|
|
);
|
|
} else {
|
|
final delaySeconds = _calculateDelay(state.attemptCount + 1);
|
|
|
|
_states[key] = _RateLimitState(
|
|
firstAttempt: state.firstAttempt,
|
|
lastAttempt: now,
|
|
attemptCount: state.attemptCount + 1,
|
|
nextAttemptAt: now.add(Duration(seconds: delaySeconds)),
|
|
);
|
|
}
|
|
}
|
|
|
|
/// Record a successful authentication (clears the rate limit)
|
|
static void recordSuccess(String key) {
|
|
_states.remove(key);
|
|
}
|
|
|
|
/// Calculate delay with exponential backoff
|
|
static int _calculateDelay(int attemptCount) {
|
|
if (attemptCount <= 1) return 0;
|
|
|
|
// Exponential backoff: 2^(n-1) seconds, capped at _maxDelay
|
|
final delay = _initialDelay * (1 << (attemptCount - 2));
|
|
return delay > _maxDelay ? _maxDelay : delay;
|
|
}
|
|
|
|
/// Generate rate limit key from client credentials
|
|
static String generateKey(String clientId, String tokenUrl) {
|
|
return '$clientId:$tokenUrl';
|
|
}
|
|
|
|
/// Get remaining cooldown time in seconds
|
|
static int? getCooldownSeconds(String key) {
|
|
final canProceedAt = canProceed(key);
|
|
if (canProceedAt == null) return null;
|
|
|
|
final now = DateTime.now();
|
|
final diff = canProceedAt.difference(now);
|
|
return diff.inSeconds > 0 ? diff.inSeconds : null;
|
|
}
|
|
|
|
/// Clear all rate limiting states (for testing or admin purposes)
|
|
static void clearAll() {
|
|
_states.clear();
|
|
}
|
|
}
|
|
|
|
class _RateLimitState {
|
|
final DateTime firstAttempt;
|
|
final DateTime lastAttempt;
|
|
final int attemptCount;
|
|
final DateTime? nextAttemptAt;
|
|
|
|
_RateLimitState({
|
|
required this.firstAttempt,
|
|
required this.lastAttempt,
|
|
required this.attemptCount,
|
|
this.nextAttemptAt,
|
|
});
|
|
}
|