feat(server): make tenant login guard toggleable via config
Add auth.login_guard.enabled config (default on) so the tenant login brute-force / rate-limit guard can be disabled per environment. Surfaces an AUTH_LOGIN_GUARD_ENABLED env override and a startup warning when disabled. Wired through Diff() so hot reload picks up changes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -163,6 +163,10 @@ jwt:
|
||||
access_ttl: 15m
|
||||
refresh_ttl: 720h
|
||||
|
||||
auth:
|
||||
login_guard:
|
||||
enabled: true
|
||||
|
||||
log:
|
||||
level: debug,info,warn,error
|
||||
format: json
|
||||
|
||||
@@ -113,7 +113,12 @@ func New(configPath string) (*App, error) {
|
||||
|
||||
jwtMgr := auth.NewManager(cfg.JWT.Secret, cfg.JWT.AccessTTL, cfg.JWT.RefreshTTL)
|
||||
sessions := auth.NewSessionStore(rdb)
|
||||
loginGuard := auth.NewLoginGuard(rdb, auth.DefaultLoginGuardConfig("tenant"))
|
||||
loginGuardCfg := auth.DefaultLoginGuardConfig("tenant")
|
||||
loginGuardCfg.Enabled = cfg.Auth.LoginGuard.Enabled
|
||||
if !loginGuardCfg.Enabled {
|
||||
logger.Warn("tenant login guard disabled by config; brute-force / rate-limit protection is off")
|
||||
}
|
||||
loginGuard := auth.NewLoginGuard(rdb, loginGuardCfg)
|
||||
llmClient := llm.NewReloadableClient(llm.New(cfg.LLM))
|
||||
retrievalProvider := retrieval.NewReloadableProvider(retrieval.NewProvider(cfg.Retrieval, logger))
|
||||
vectorStore := retrieval.NewReloadableVectorStore(retrieval.NewQdrantStore(cfg.Qdrant, logger))
|
||||
|
||||
@@ -33,6 +33,7 @@ type Config struct {
|
||||
ObjectStorage ObjectStorageConfig `mapstructure:"object_storage"`
|
||||
Cache CacheConfig `mapstructure:"cache"`
|
||||
JWT JWTConfig `mapstructure:"jwt"`
|
||||
Auth AuthConfig `mapstructure:"auth"`
|
||||
Log LogConfig `mapstructure:"log"`
|
||||
LLM LLMConfig `mapstructure:"llm"`
|
||||
Compliance ComplianceConfig `mapstructure:"compliance"`
|
||||
@@ -273,6 +274,14 @@ type JWTConfig struct {
|
||||
RefreshTTL time.Duration `mapstructure:"refresh_ttl"`
|
||||
}
|
||||
|
||||
type AuthConfig struct {
|
||||
LoginGuard LoginGuardConfig `mapstructure:"login_guard"`
|
||||
}
|
||||
|
||||
type LoginGuardConfig struct {
|
||||
Enabled bool `mapstructure:"enabled"`
|
||||
}
|
||||
|
||||
type LogConfig struct {
|
||||
Level string `mapstructure:"level"`
|
||||
Format string `mapstructure:"format"`
|
||||
@@ -476,6 +485,11 @@ func applyConfigDefaults(settings map[string]any) {
|
||||
if _, ok := complianceSettings["enabled"]; !ok {
|
||||
complianceSettings["enabled"] = true
|
||||
}
|
||||
authSettings := ensureMapSetting(settings, "auth")
|
||||
loginGuardSettings := ensureMapSetting(authSettings, "login_guard")
|
||||
if _, ok := loginGuardSettings["enabled"]; !ok {
|
||||
loginGuardSettings["enabled"] = true
|
||||
}
|
||||
}
|
||||
|
||||
func ensureMapSetting(settings map[string]any, key string) map[string]any {
|
||||
@@ -800,6 +814,9 @@ func applyEnvOverrides(cfg *Config) {
|
||||
if ttl, ok := lookupDurationEnv("JWT_REFRESH_TTL"); ok {
|
||||
cfg.JWT.RefreshTTL = ttl
|
||||
}
|
||||
if enabled, ok := lookupBoolEnv("AUTH_LOGIN_GUARD_ENABLED"); ok {
|
||||
cfg.Auth.LoginGuard.Enabled = enabled
|
||||
}
|
||||
if apiKey, ok := lookupNonEmptyEnv("LLM_API_KEY"); ok {
|
||||
cfg.LLM.APIKey = apiKey
|
||||
}
|
||||
|
||||
@@ -74,6 +74,9 @@ func Diff(previous, current *Config) []FieldChange {
|
||||
if previous.JWT != current.JWT {
|
||||
addChange("jwt", true)
|
||||
}
|
||||
if previous.Auth != current.Auth {
|
||||
addChange("auth", true)
|
||||
}
|
||||
if previous.LLM != current.LLM {
|
||||
addChange("llm", true)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user