From 7f8e44b3b52eefc7cd60bd9ac953a9642ab52e1e Mon Sep 17 00:00:00 2001
From: Joachim Bauch <bauch@struktur.de>
Date: Tue, 14 May 2024 12:02:36 +0200
Subject: [PATCH] Add bruteforce detection to backend server room handler.

---
 backend_server.go | 14 +++++++++++++-
 hub.go            | 10 ++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/backend_server.go b/backend_server.go
index a534ed5..309c21a 100644
--- a/backend_server.go
+++ b/backend_server.go
@@ -761,6 +761,16 @@ func (b *BackendServer) startDialout(roomid string, backend *Backend, backendUrl
 }
 
 func (b *BackendServer) roomHandler(w http.ResponseWriter, r *http.Request, body []byte) {
+	throttle, err := b.hub.throttler.CheckBruteforce(r.Context(), b.hub.getRealUserIP(r), "BackendRoomAuth")
+	if err == ErrBruteforceDetected {
+		http.Error(w, "Too many requests", http.StatusTooManyRequests)
+		return
+	} else if err != nil {
+		log.Printf("Error checking for bruteforce: %s", err)
+		http.Error(w, "Could not check for bruteforce", http.StatusInternalServerError)
+		return
+	}
+
 	v := mux.Vars(r)
 	roomid := v["roomid"]
 
@@ -773,6 +783,7 @@ func (b *BackendServer) roomHandler(w http.ResponseWriter, r *http.Request, body
 
 		if backend == nil {
 			// Unknown backend URL passed, return immediately.
+			throttle(r.Context())
 			http.Error(w, "Authentication check failed", http.StatusForbidden)
 			return
 		}
@@ -794,12 +805,14 @@ func (b *BackendServer) roomHandler(w http.ResponseWriter, r *http.Request, body
 		}
 
 		if backend == nil {
+			throttle(r.Context())
 			http.Error(w, "Authentication check failed", http.StatusForbidden)
 			return
 		}
 	}
 
 	if !ValidateBackendChecksum(r, body, backend.Secret()) {
+		throttle(r.Context())
 		http.Error(w, "Authentication check failed", http.StatusForbidden)
 		return
 	}
@@ -814,7 +827,6 @@ func (b *BackendServer) roomHandler(w http.ResponseWriter, r *http.Request, body
 	request.ReceivedTime = time.Now().UnixNano()
 
 	var response any
-	var err error
 	switch request.Type {
 	case "invite":
 		b.sendRoomInvite(roomid, backend, request.Invite.UserIds, request.Invite.Properties)
diff --git a/hub.go b/hub.go
index 77a86c7..fd80ffc 100644
--- a/hub.go
+++ b/hub.go
@@ -173,6 +173,8 @@ type Hub struct {
 
 	rpcServer  *GrpcServer
 	rpcClients *GrpcClients
+
+	throttler Throttler
 }
 
 func NewHub(config *goconf.ConfigFile, events AsyncEvents, rpcServer *GrpcServer, rpcClients *GrpcClients, etcdClient *EtcdClient, r *mux.Router, version string) (*Hub, error) {
@@ -328,6 +330,11 @@ func NewHub(config *goconf.ConfigFile, events AsyncEvents, rpcServer *GrpcServer
 		}
 	}
 
+	throttler, err := NewMemoryThrottler()
+	if err != nil {
+		return nil, err
+	}
+
 	hub := &Hub{
 		events: events,
 		upgrader: websocket.Upgrader{
@@ -376,6 +383,8 @@ func NewHub(config *goconf.ConfigFile, events AsyncEvents, rpcServer *GrpcServer
 
 		rpcServer:  rpcServer,
 		rpcClients: rpcClients,
+
+		throttler: throttler,
 	}
 	hub.setWelcomeMessage(&ServerMessage{
 		Type:    "welcome",
@@ -498,6 +507,7 @@ loop:
 
 func (h *Hub) Stop() {
 	h.closer.Close()
+	h.throttler.Close()
 }
 
 func (h *Hub) Reload(config *goconf.ConfigFile) {