pub struct RootPasswordGuard { /* private fields */ }Expand description
Per-client-IP brute-force guard for the root-password endpoints (#190).
Keyed by a best-effort client-IP string (see client_ip_key) so a single
attacker only locks out their own key, not every client. Each key:
- increments a failure counter on a wrong password;
- after [
ROOT_PASSWORD_FAILURE_THRESHOLD] (5) consecutive failures, trips a [ROOT_PASSWORD_COOLDOWN] (60s) lockout — further attempts from that key are rejected with HTTP 429 BEFORE the password is even compared; - resets on any successful password check;
- self-heals: once the cooldown elapses the key’s state is cleared, so a key that simply made a few mistakes recovers automatically.
Loopback exemption is the CALLER’s responsibility (it never calls into the guard for a local request) so the desktop can never lock itself out.
This is per-PROCESS state and is NOT persisted — a restart clears all
counters by design. The code-redemption path keeps its own PairingCodeGuard
(a separate, global guard); this is strictly the root-password paths.
Implementations§
Source§impl RootPasswordGuard
impl RootPasswordGuard
Sourcepub fn check(&self, key: &str) -> RootGuardDecision
pub fn check(&self, key: &str) -> RootGuardDecision
Check whether key is currently locked. Clears an elapsed cooldown (and
its failure count) as a side effect so a recovered key returns Allow.
Sourcepub fn record_failure(&self, key: &str)
pub fn record_failure(&self, key: &str)
Record a failed root-password attempt for key. Trips the cooldown once
the threshold is reached.
Sourcepub fn record_success(&self, key: &str)
pub fn record_success(&self, key: &str)
Reset key after a successful root-password check.