Documentation
¶
Index ¶
- func ApplyAccessProviders(manager *sdkaccess.Manager, oldCfg, newCfg *config.Config) (bool, error)
- func HashAccountKey(raw string) string
- type AuthRateLimiter
- func (rl *AuthRateLimiter) IsAccountLimited(accountHash string) bool
- func (rl *AuthRateLimiter) IsLimited(ip string) bool
- func (rl *AuthRateLimiter) RecordAccountFailure(accountHash string)
- func (rl *AuthRateLimiter) RecordAccountSuccess(accountHash string)
- func (rl *AuthRateLimiter) RecordFailure(ip string)
- func (rl *AuthRateLimiter) RecordSuccess(ip string)
- func (rl *AuthRateLimiter) Stop()
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ApplyAccessProviders ¶
ApplyAccessProviders reconciles the configured access providers against the currently registered providers and updates the manager. It logs a concise summary of the detected changes and returns whether any provider changed.
func HashAccountKey ¶
HashAccountKey derives a non-reversible identifier for a credential candidate. Returns empty string for empty input so callers can short-circuit safely.
Types ¶
type AuthRateLimiter ¶
type AuthRateLimiter struct {
// contains filtered or unexported fields
}
AuthRateLimiter tracks authentication failures and enforces rate limits on two independent axes:
- per client IP (mitigates a single host brute-forcing)
- per candidate account identifier (mitigates attackers rotating IPs against one account)
After maxFailures within failureWindow on either axis, subsequent requests are rejected with 429 until lockoutDuration elapses.
func NewAuthRateLimiter ¶
func NewAuthRateLimiter() *AuthRateLimiter
NewAuthRateLimiter creates a rate limiter and starts background cleanup.
func (*AuthRateLimiter) IsAccountLimited ¶
func (rl *AuthRateLimiter) IsAccountLimited(accountHash string) bool
IsAccountLimited returns true if the given account identifier is currently locked out. Use HashAccountKey to derive accountHash from a raw credential — never pass raw secrets.
func (*AuthRateLimiter) IsLimited ¶
func (rl *AuthRateLimiter) IsLimited(ip string) bool
IsLimited returns true if the given IP is currently locked out.
func (*AuthRateLimiter) RecordAccountFailure ¶
func (rl *AuthRateLimiter) RecordAccountFailure(accountHash string)
RecordAccountFailure records an authentication failure for the given account hash.
func (*AuthRateLimiter) RecordAccountSuccess ¶
func (rl *AuthRateLimiter) RecordAccountSuccess(accountHash string)
RecordAccountSuccess clears all failure state for the given account hash.
func (*AuthRateLimiter) RecordFailure ¶
func (rl *AuthRateLimiter) RecordFailure(ip string)
RecordFailure records an authentication failure for the given IP. If the failure count reaches the threshold within the window, the IP is locked out.
func (*AuthRateLimiter) RecordSuccess ¶
func (rl *AuthRateLimiter) RecordSuccess(ip string)
RecordSuccess clears all failure state for the given IP.
func (*AuthRateLimiter) Stop ¶
func (rl *AuthRateLimiter) Stop()
Stop terminates the background cleanup goroutine. Safe to call multiple times.