feat(auth): add Bucket4j + Caffeine login rate limiter (10/15 min per IP+email, 20/15 min per IP)

LoginRateLimiter uses two Caffeine LoadingCaches of Bucket4j buckets — one keyed on IP:email (10 attempts/15 min) and one on IP alone (20/15 min backstop). Exceeding either throws DomainException(TOO_MANY_LOGIN_ATTEMPTS) and emits LOGIN_RATE_LIMITED audit. Successful login invalidates both buckets via invalidateOnSuccess. Buckets expire after windowMinutes of inactivity (no clock advance needed — Caffeine handles eviction). AuthService integrates it as an optional @Autowired field so non-web test contexts still work without a Caffeine dependency. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-18 12:52:56 +02:00
parent 8944f8bb44
commit 4d6fb06e02
7 changed files with 213 additions and 2 deletions
--- a/backend/src/test/java/org/raddatz/familienarchiv/auth/AuthServiceTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/auth/AuthServiceTest.java
@@ -16,6 +16,7 @@ import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.session.jdbc.JdbcIndexedSessionRepository;
+import org.raddatz.familienarchiv.exception.ErrorCode;

 import java.util.HashMap;
 import java.util.Map;
@@ -37,14 +38,16 @@ class AuthServiceTest {
    @Mock UserService userService;
    @Mock AuditService auditService;
    @Mock JdbcIndexedSessionRepository sessionRepository;
+    @Mock LoginRateLimiter loginRateLimiter;
    @InjectMocks AuthService authService;

    private static final String IP = "127.0.0.1";
    private static final String UA = "Mozilla/5.0 (Test)";

    @BeforeEach
-    void injectSessionRepository() {
+    void injectOptionalFields() {
        ReflectionTestUtils.setField(authService, "sessionRepository", sessionRepository);
+        ReflectionTestUtils.setField(authService, "loginRateLimiter", loginRateLimiter);
    }

    @Test
@@ -141,6 +144,45 @@ class AuthServiceTest {
        );
    }

+    @Test
+    void login_checks_rate_limit_before_authenticating() {
+        doThrow(DomainException.tooManyRequests(ErrorCode.TOO_MANY_LOGIN_ATTEMPTS, "rate limited"))
+            .when(loginRateLimiter).checkAndConsume(IP, "user@test.de");
+
+        assertThatThrownBy(() -> authService.login("user@test.de", "pass", IP, UA))
+            .isInstanceOf(DomainException.class)
+            .satisfies(ex -> assertThat(((DomainException) ex).getCode())
+                .isEqualTo(ErrorCode.TOO_MANY_LOGIN_ATTEMPTS));
+
+        verify(authenticationManager, never()).authenticate(any());
+    }
+
+    @Test
+    void login_fires_LOGIN_RATE_LIMITED_audit_when_rate_limited() {
+        UUID userId = UUID.randomUUID();
+        doThrow(DomainException.tooManyRequests(ErrorCode.TOO_MANY_LOGIN_ATTEMPTS, "rate limited"))
+            .when(loginRateLimiter).checkAndConsume(IP, "user@test.de");
+
+        assertThatThrownBy(() -> authService.login("user@test.de", "pass", IP, UA))
+            .isInstanceOf(DomainException.class);
+
+        verify(auditService).log(eq(AuditKind.LOGIN_RATE_LIMITED), isNull(), isNull(),
+            argThat(payload -> IP.equals(payload.get("ip")) && "user@test.de".equals(payload.get("email"))));
+    }
+
+    @Test
+    void login_invalidates_rate_limit_on_success() {
+        UUID userId = UUID.randomUUID();
+        AppUser user = AppUser.builder().id(userId).email("user@test.de").build();
+        Authentication auth = new UsernamePasswordAuthenticationToken("user@test.de", null, Set.of());
+        when(authenticationManager.authenticate(any())).thenReturn(auth);
+        when(userService.findByEmail("user@test.de")).thenReturn(user);
+
+        authService.login("user@test.de", "pass123", IP, UA);
+
+        verify(loginRateLimiter).invalidateOnSuccess(IP, "user@test.de");
+    }
+
    @SuppressWarnings("unchecked")
    @Test
    void revokeOtherSessions_preserves_current_and_deletes_N_minus_1() {
--- a/backend/src/test/java/org/raddatz/familienarchiv/auth/LoginRateLimiterTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/auth/LoginRateLimiterTest.java
@@ -0,0 +1,67 @@
+package org.raddatz.familienarchiv.auth;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.raddatz.familienarchiv.exception.DomainException;
+import org.raddatz.familienarchiv.exception.ErrorCode;
+
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.assertj.core.api.Assertions.assertThatNoException;
+
+class LoginRateLimiterTest {
+
+    private LoginRateLimiter rateLimiter;
+
+    @BeforeEach
+    void setUp() {
+        RateLimitProperties props = new RateLimitProperties();
+        props.setMaxAttemptsPerIpEmail(10);
+        props.setMaxAttemptsPerIp(20);
+        props.setWindowMinutes(15);
+        rateLimiter = new LoginRateLimiter(props);
+    }
+
+    @Test
+    void tenth_attempt_from_same_ip_email_succeeds() {
+        for (int i = 0; i < 10; i++) {
+            assertThatNoException().isThrownBy(
+                () -> rateLimiter.checkAndConsume("1.2.3.4", "user@example.com"));
+        }
+    }
+
+    @Test
+    void eleventh_attempt_from_same_ip_email_throws_TOO_MANY_LOGIN_ATTEMPTS() {
+        for (int i = 0; i < 10; i++) {
+            rateLimiter.checkAndConsume("1.2.3.4", "user@example.com");
+        }
+
+        assertThatThrownBy(() -> rateLimiter.checkAndConsume("1.2.3.4", "user@example.com"))
+            .isInstanceOf(DomainException.class)
+            .satisfies(ex -> org.assertj.core.api.Assertions.assertThat(((DomainException) ex).getCode())
+                .isEqualTo(ErrorCode.TOO_MANY_LOGIN_ATTEMPTS));
+    }
+
+    @Test
+    void success_after_10_failures_resets_ip_email_bucket() {
+        for (int i = 0; i < 10; i++) {
+            rateLimiter.checkAndConsume("1.2.3.4", "user@example.com");
+        }
+
+        rateLimiter.invalidateOnSuccess("1.2.3.4", "user@example.com");
+
+        assertThatNoException().isThrownBy(
+            () -> rateLimiter.checkAndConsume("1.2.3.4", "user@example.com"));
+    }
+
+    @Test
+    void twentyfirst_attempt_from_same_ip_across_different_emails_throws() {
+        for (int i = 0; i < 20; i++) {
+            rateLimiter.checkAndConsume("1.2.3.4", "user" + i + "@example.com");
+        }
+
+        assertThatThrownBy(() -> rateLimiter.checkAndConsume("1.2.3.4", "attacker@example.com"))
+            .isInstanceOf(DomainException.class)
+            .satisfies(ex -> org.assertj.core.api.Assertions.assertThat(((DomainException) ex).getCode())
+                .isEqualTo(ErrorCode.TOO_MANY_LOGIN_ATTEMPTS));
+    }
+}