fix(ldap-auth) credential rate-limiting and hashing of cache key #5497
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
fix(ldap-auth) credential to have id for rate-limiting
Currently
ldap-auth
does set virtual credential in context on authentication, but that virtual credential does not haveid
which means that rate-limiting plugin cannot rate-limit by the credential, and thus fall-backs to rate-limit by ip.This commit adds
cache_key
as id for that virtual credential.fix(ldap-auth) hash cache key
Currently
ldap-auth
does seem to useusername
andpassword
in acache_key
in plain. This is potentially dangerous and may be leaked through it to different places:This commit fixes that by calling
sha1_bin
on that when generating a cache key. It also drops the use ofmd5
.Issues resolved
Fix #4129