AntiBruteforce

[bbday]

I think need anti bruteforce system by Ip for auth, like if you failed X times in Y minutes auth/jwt token system will blacklist your ip for Z minute.
Should be done with middleware just example,just call UpdateBlockIp() when incorrect auth or jwt token

class BlackIpService
    {
        private const int MaxFailed = 6;

        private static readonly ConcurrentDictionary<string, RequestFailed> BlackListIp = new();

        private readonly ILogger<BlackIpService> _logger;
        private readonly RequestDelegate _next;
        private DateTime _nextClear;

        public BlackIpService(RequestDelegate next, ILogger<BlackIpService> logger)
        {
            _next = next;
            _logger = logger;
            _nextClear = DateTime.UtcNow.AddHours(1);
        }

        public async Task Invoke(HttpContext context)
        {
            var remoteIp = context.Connection.RemoteIpAddress;
            //_logger.LogDebug($"Request from Remote IP address: {remoteIp}");

            var currentIp = remoteIp.ToString();

            if (_nextClear <= DateTime.UtcNow)
            {
                _nextClear = DateTime.UtcNow.AddHours(1);
                foreach (var target in BlackListIp.ToArray())
                    if (target.Value.NextReset <= DateTime.UtcNow)
                        BlackListIp.TryRemove(target.Key, out _);
            }

            if (BlackListIp.TryGetValue(currentIp, out var requestFailed))
            {
                if (requestFailed.Failded >= MaxFailed && requestFailed.NextReset >= DateTime.UtcNow)
                {
                    //_logger.LogWarning($"Forbidden Request from Remote IP address: {remoteIp}");
                    context.Response.StatusCode = (int)HttpStatusCode.Forbidden;
                    return;
                }

                if (requestFailed.NextReset <= DateTime.UtcNow) BlackListIp.TryRemove(currentIp, out _);
            }

            try
            {
                await _next.Invoke(context);
            }
            finally
            {
                if(context.Response?.StatusCode != 200)
                    _logger.LogWarning("Request {method} {url} => {statusCode} Ip {ip}", context.Request?.Method, context.Request?.Path.Value, context.Response?.StatusCode, context.Connection?.RemoteIpAddress);
            }
        }

        public static void UpdateBlockIp(IPAddress ip)
        {
            var currentIp = ip.ToString();
            if (BlackListIp.TryGetValue(currentIp, out var requestFailed))
            {
                requestFailed.Failded++;
                requestFailed.NextReset = DateTime.UtcNow.AddHours(1);
            }
            else
            {
                BlackListIp.TryAdd(currentIp, new RequestFailed { Failded = 1, NextReset = DateTime.UtcNow.AddHours(1) });
            }
        }

        public static IEnumerable<string> GetBannedIps()
        {
            return BlackListIp.ToList().Where(i => i.Value.Failded >= 6 && i.Value.NextReset >= DateTime.UtcNow).Select(i => i.Key);
        }

        public static bool UnBanIp(string ipTarget)
        {
            return BlackListIp.TryRemove(ipTarget, out _);
        }
    }

struct RequestFailed
    {
        public ushort Failded { get; set; }
        public DateTime NextReset { get; set; }
    }

[iammukeshm]

This is nice to have. Can you raise a PR and make this middleware optional? It should be configurable via the middlewares.json config file.

[bbday]

done

[bbday]

i did it https://github.com/bbday/dotnet-webapi-boilerplate/commit/bad27ace52c44dd034f3e71ce0ba0f00c6fbc4e4
i'm new on github collab then dont have idea how work PR