mirrors/go-hauk
2
0
Fork 0
mirror of https://github.com/parkan/go-hauk.git synced 2026-05-08 16:47:46 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix adopt auth bypass, add rate limiting

Browse Source
This commit is contained in:
Arkadiy Kukarkin
2025-12-25 19:19:28 +01:00
parent 6959aff335
commit 558b4ddf1c
6 changed files with 200 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@@ -35,9 +35,17 @@ all config via environment variables:
| HAUK_REDIS_ADDR | localhost:6379 | redis address (host:port or redis:// url) |
| HAUK_AUTH_METHOD | password | auth method (password, htpasswd, ldap) |
| HAUK_PASSWORD_HASH | | bcrypt hash for password auth |
| HAUK_RATE_LIMIT_AUTH | 10 | max auth requests per minute per ip |
| HAUK_RATE_LIMIT_ADOPT | 10 | max adopt requests per minute per ip |
| HAUK_TRUST_PROXY | true | trust X-Forwarded-For (set false if not behind proxy) |
see `config/config.go` for full list.
## security improvements over upstream
- adopt authorization: only share owner can adopt into groups (fixes CVE-like auth bypass in upstream)
- built-in rate limiting on auth and adopt endpoints (configurable, default 10 req/min/ip)
## compatibility
drop-in replacement for the php backend. works with the existing android app and web frontend.