feat(auth): add Bucket4j + Caffeine login rate limiter (10/15 min per IP+email, 20/15 min per IP)

LoginRateLimiter uses two Caffeine LoadingCaches of Bucket4j buckets — one keyed on IP:email (10 attempts/15 min) and one on IP alone (20/15 min backstop). Exceeding either throws DomainException(TOO_MANY_LOGIN_ATTEMPTS) and emits LOGIN_RATE_LIMITED audit. Successful login invalidates both buckets via invalidateOnSuccess. Buckets expire after windowMinutes of inactivity (no clock advance needed — Caffeine handles eviction). AuthService integrates it as an optional @Autowired field so non-web test contexts still work without a Caffeine dependency. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-18 12:52:56 +02:00
parent 8944f8bb44
commit 4d6fb06e02
7 changed files with 213 additions and 2 deletions
--- a/backend/src/main/java/org/raddatz/familienarchiv/auth/AuthService.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/auth/AuthService.java
@@ -30,12 +30,25 @@ public class AuthService {
    @Autowired(required = false)
    private JdbcIndexedSessionRepository sessionRepository;

+    @Autowired(required = false)
+    private LoginRateLimiter loginRateLimiter;
+
    /**
     * Validates credentials and returns the authenticated user plus the Spring Security
     * Authentication object. The caller is responsible for persisting the Authentication
     * to the session via SecurityContextRepository.
     */
    public LoginResult login(String email, String password, String ip, String ua) {
+        if (loginRateLimiter != null) {
+            try {
+                loginRateLimiter.checkAndConsume(ip, email);
+            } catch (DomainException ex) {
+                auditService.log(AuditKind.LOGIN_RATE_LIMITED, null, null, Map.of(
+                        "ip", ip,
+                        "email", email));
+                throw ex;
+            }
+        }
        try {
            Authentication auth = authenticationManager.authenticate(
                    new UsernamePasswordAuthenticationToken(email, password));
@@ -45,6 +58,9 @@ public class AuthService {
                    "userId", user.getId().toString(),
                    "ip", ip,
                    "ua", truncateUa(ua)));
+            if (loginRateLimiter != null) {
+                loginRateLimiter.invalidateOnSuccess(ip, email);
+            }
            return new LoginResult(user, auth);
        } catch (AuthenticationException ex) {
            // Audit login failure — intentionally does NOT log the attempted password.
--- a/backend/src/main/java/org/raddatz/familienarchiv/auth/LoginRateLimiter.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/auth/LoginRateLimiter.java
@@ -0,0 +1,61 @@
+package org.raddatz.familienarchiv.auth;
+
+import com.github.benmanes.caffeine.cache.Caffeine;
+import com.github.benmanes.caffeine.cache.LoadingCache;
+import io.github.bucket4j.Bandwidth;
+import io.github.bucket4j.Bucket;
+import lombok.extern.slf4j.Slf4j;
+import org.raddatz.familienarchiv.exception.DomainException;
+import org.raddatz.familienarchiv.exception.ErrorCode;
+import org.springframework.stereotype.Service;
+
+import java.time.Duration;
+import java.util.concurrent.TimeUnit;
+
+@Service
+@Slf4j
+public class LoginRateLimiter {
+
+    private final LoadingCache<String, Bucket> byIpEmail;
+    private final LoadingCache<String, Bucket> byIp;
+    private final int maxPerIpEmail;
+    private final int maxPerIp;
+    private final int windowMinutes;
+
+    public LoginRateLimiter(RateLimitProperties props) {
+        this.maxPerIpEmail = props.getMaxAttemptsPerIpEmail();
+        this.maxPerIp = props.getMaxAttemptsPerIp();
+        this.windowMinutes = props.getWindowMinutes();
+
+        this.byIpEmail = Caffeine.newBuilder()
+                .expireAfterAccess(windowMinutes, TimeUnit.MINUTES)
+                .build(key -> newBucket(maxPerIpEmail, windowMinutes));
+
+        this.byIp = Caffeine.newBuilder()
+                .expireAfterAccess(windowMinutes, TimeUnit.MINUTES)
+                .build(key -> newBucket(maxPerIp, windowMinutes));
+    }
+
+    public void checkAndConsume(String ip, String email) {
+        boolean ipEmailOk = byIpEmail.get(ip + ":" + email).tryConsume(1);
+        boolean ipOk = byIp.get(ip).tryConsume(1);
+        if (!ipEmailOk || !ipOk) {
+            throw DomainException.tooManyRequests(ErrorCode.TOO_MANY_LOGIN_ATTEMPTS,
+                    "Too many login attempts from " + ip);
+        }
+    }
+
+    public void invalidateOnSuccess(String ip, String email) {
+        byIpEmail.invalidate(ip + ":" + email);
+        byIp.invalidate(ip);
+    }
+
+    private static Bucket newBucket(int limit, int minutes) {
+        return Bucket.builder()
+                .addLimit(Bandwidth.builder()
+                        .capacity(limit)
+                        .refillGreedy(limit, Duration.ofMinutes(minutes))
+                        .build())
+                .build();
+    }
+}
--- a/backend/src/main/java/org/raddatz/familienarchiv/auth/RateLimitProperties.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/auth/RateLimitProperties.java
@@ -0,0 +1,14 @@
+package org.raddatz.familienarchiv.auth;
+
+import lombok.Data;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.stereotype.Component;
+
+@Component
+@ConfigurationProperties("rate-limit.login")
+@Data
+public class RateLimitProperties {
+    private int maxAttemptsPerIpEmail = 10;
+    private int maxAttemptsPerIp = 20;
+    private int windowMinutes = 15;
+}