vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-05 06:40:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(gateway): add auth rate-limiting & brute-force protection (#15035)

Browse Source 
* feat(gateway): add auth rate-limiting & brute-force protection

Add a per-IP sliding-window rate limiter to Gateway authentication
endpoints (HTTP, WebSocket upgrade, and WS message-level auth).

When gateway.auth.rateLimit is configured, failed auth attempts are
tracked per client IP. Once the threshold is exceeded within the
sliding window, further attempts are blocked with HTTP 429 + Retry-After
until the lockout period expires. Loopback addresses are exempt by
default so local CLI sessions are never locked out.

The limiter is only created when explicitly configured (undefined
otherwise), keeping the feature fully opt-in and backward-compatible.

* fix(gateway): isolate auth rate-limit scopes and normalize 429 responses

---------

Co-authored-by: buerbaumer <buerbaumer@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
This commit is contained in:
Harald Buerbaumer
2026-02-13 15:32:38 +01:00
committed by GitHub
parent 9131b22a28
commit 30b6eccae5
24 changed files with 1063 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/gateway/server/ws-connection.ts
View File

@@ -1,6 +1,7 @@
import type { WebSocket, WebSocketServer } from "ws";
import { randomUUID } from "node:crypto";
import type { createSubsystemLogger } from "../../logging/subsystem.js";
import type { AuthRateLimiter } from "../auth-rate-limit.js";
import type { ResolvedGatewayAuth } from "../auth.js";
import type { GatewayRequestContext, GatewayRequestHandlers } from "../server-methods/types.js";
import type { GatewayWsClient } from "./ws-types.js";
@@ -24,6 +25,8 @@ export function attachGatewayWsConnectionHandler(params: {
canvasHostEnabled: boolean;
canvasHostServerPort?: number;
resolvedAuth: ResolvedGatewayAuth;
/** Optional rate limiter for auth brute-force protection. */
rateLimiter?: AuthRateLimiter;
gatewayMethods: string[];
events: string[];
logGateway: SubsystemLogger;
@@ -48,6 +51,7 @@ export function attachGatewayWsConnectionHandler(params: {
canvasHostEnabled,
canvasHostServerPort,
resolvedAuth,
rateLimiter,
gatewayMethods,
events,
logGateway,
@@ -240,6 +244,7 @@ export function attachGatewayWsConnectionHandler(params: {
canvasHostUrl,
connectNonce,
resolvedAuth,
rateLimiter,
gatewayMethods,
events,
extraHandlers,

90
src/gateway/server/ws-connection/message-handler.ts
View File

@@ -2,7 +2,7 @@ import type { IncomingMessage } from "node:http";
import type { WebSocket } from "ws";
import os from "node:os";
import type { createSubsystemLogger } from "../../../logging/subsystem.js";
import type { ResolvedGatewayAuth } from "../../auth.js";
import type { GatewayAuthResult, ResolvedGatewayAuth } from "../../auth.js";
import type { GatewayRequestContext, GatewayRequestHandlers } from "../../server-methods/types.js";
import type { GatewayWsClient } from "../ws-types.js";
import { loadConfig } from "../../../config/config.js";
@@ -25,6 +25,11 @@ import { upsertPresence } from "../../../infra/system-presence.js";
import { loadVoiceWakeConfig } from "../../../infra/voicewake.js";
import { rawDataToString } from "../../../infra/ws.js";
import { isGatewayCliClient, isWebchatClient } from "../../../utils/message-channel.js";
import {
AUTH_RATE_LIMIT_SCOPE_DEVICE_TOKEN,
AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET,
type AuthRateLimiter,
} from "../../auth-rate-limit.js";
import { authorizeGatewayConnect, isLocalDirectRequest } from "../../auth.js";
import { buildDeviceAuthPayload } from "../../device-auth.js";
import { isLoopbackAddress, isTrustedProxyAddress, resolveGatewayClientIp } from "../../net.js";
@@ -117,6 +122,10 @@ function formatGatewayAuthFailureMessage(params: {
return "unauthorized: tailscale identity check failed (use Tailscale Serve auth or gateway token/password)";
case "tailscale_user_mismatch":
return "unauthorized: tailscale identity mismatch (use Tailscale Serve auth or gateway token/password)";
case "rate_limited":
return "unauthorized: too many failed authentication attempts (retry later)";
case "device_token_mismatch":
return "unauthorized: device token mismatch (rotate/reissue device token)";
default:
break;
}
@@ -143,6 +152,8 @@ export function attachGatewayWsMessageHandler(params: {
canvasHostUrl?: string;
connectNonce: string;
resolvedAuth: ResolvedGatewayAuth;
/** Optional rate limiter for auth brute-force protection. */
rateLimiter?: AuthRateLimiter;
gatewayMethods: string[];
events: string[];
extraHandlers: GatewayRequestHandlers;
@@ -173,6 +184,7 @@ export function attachGatewayWsMessageHandler(params: {
canvasHostUrl,
connectNonce,
resolvedAuth,
rateLimiter,
gatewayMethods,
events,
extraHandlers,
@@ -405,12 +417,36 @@ export function attachGatewayWsMessageHandler(params: {
const allowControlUiBypass = allowInsecureControlUi || disableControlUiDeviceAuth;
const device = disableControlUiDeviceAuth ? null : deviceRaw;
const authResult = await authorizeGatewayConnect({
const hasDeviceTokenCandidate = Boolean(connectParams.auth?.token && device);
let authResult: GatewayAuthResult = await authorizeGatewayConnect({
auth: resolvedAuth,
connectAuth: connectParams.auth,
req: upgradeReq,
trustedProxies,
rateLimiter: hasDeviceTokenCandidate ? undefined : rateLimiter,
clientIp,
rateLimitScope: AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET,
});
if (
hasDeviceTokenCandidate &&
authResult.ok &&
rateLimiter &&
(authResult.method === "token" || authResult.method === "password")
) {
const sharedRateCheck = rateLimiter.check(clientIp, AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET);
if (!sharedRateCheck.allowed) {
authResult = {
ok: false,
reason: "rate_limited",
rateLimited: true,
retryAfterMs: sharedRateCheck.retryAfterMs,
};
} else {
rateLimiter.reset(clientIp, AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET);
}
}
let authOk = authResult.ok;
let authMethod =
authResult.method ?? (resolvedAuth.mode === "password" ? "password" : "token");
@@ -420,15 +456,18 @@ export function attachGatewayWsMessageHandler(params: {
connectAuth: connectParams.auth,
req: upgradeReq,
trustedProxies,
// Shared-auth probe only; rate-limit side effects are handled in
// the primary auth flow (or deferred for device-token candidates).
rateLimitScope: AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET,
})
: null;
const sharedAuthOk =
sharedAuthResult?.ok === true &&
(sharedAuthResult.method === "token" || sharedAuthResult.method === "password");
const rejectUnauthorized = () => {
const rejectUnauthorized = (failedAuth: GatewayAuthResult) => {
setHandshakeState("failed");
logWsControl.warn(
`unauthorized conn=${connId} remote=${remoteAddr ?? "?"} client=${clientLabel} ${connectParams.client.mode} v${connectParams.client.version} reason=${authResult.reason ?? "unknown"}`,
`unauthorized conn=${connId} remote=${remoteAddr ?? "?"} client=${clientLabel} ${connectParams.client.mode} v${connectParams.client.version} reason=${failedAuth.reason ?? "unknown"}`,
);
const authProvided: AuthProvidedKind = connectParams.auth?.token
? "token"
@@ -438,13 +477,13 @@ export function attachGatewayWsMessageHandler(params: {
const authMessage = formatGatewayAuthFailureMessage({
authMode: resolvedAuth.mode,
authProvided,
reason: authResult.reason,
reason: failedAuth.reason,
client: connectParams.client,
});
setCloseCause("unauthorized", {
authMode: resolvedAuth.mode,
authProvided,
authReason: authResult.reason,
authReason: failedAuth.reason,
allowTailscale: resolvedAuth.allowTailscale,
client: connectParams.client.id,
clientDisplayName: connectParams.client.displayName,
@@ -484,7 +523,7 @@ export function attachGatewayWsMessageHandler(params: {
// Allow shared-secret authenticated connections (e.g., control-ui) to skip device identity
if (!canSkipDevice) {
if (!authOk && hasSharedAuth) {
rejectUnauthorized();
rejectUnauthorized(authResult);
return;
}
setHandshakeState("failed");
@@ -654,19 +693,36 @@ export function attachGatewayWsMessageHandler(params: {
}
if (!authOk && connectParams.auth?.token && device) {
const tokenCheck = await verifyDeviceToken({
deviceId: device.id,
token: connectParams.auth.token,
role,
scopes,
});
if (tokenCheck.ok) {
authOk = true;
authMethod = "device-token";
if (rateLimiter) {
const deviceRateCheck = rateLimiter.check(clientIp, AUTH_RATE_LIMIT_SCOPE_DEVICE_TOKEN);
if (!deviceRateCheck.allowed) {
authResult = {
ok: false,
reason: "rate_limited",
rateLimited: true,
retryAfterMs: deviceRateCheck.retryAfterMs,
};
}
}
if (!authResult.rateLimited) {
const tokenCheck = await verifyDeviceToken({
deviceId: device.id,
token: connectParams.auth.token,
role,
scopes,
});
if (tokenCheck.ok) {
authOk = true;
authMethod = "device-token";
rateLimiter?.reset(clientIp, AUTH_RATE_LIMIT_SCOPE_DEVICE_TOKEN);
} else {
authResult = { ok: false, reason: "device_token_mismatch" };
rateLimiter?.recordFailure(clientIp, AUTH_RATE_LIMIT_SCOPE_DEVICE_TOKEN);
}
}
}
if (!authOk) {
rejectUnauthorized();
rejectUnauthorized(authResult);
return;
}