feat: prevent large HTTP POST body and slow trickle requests DOS vectors in...

feat: prevent large HTTP POST body and slow trickle requests DOS vectors in keyshareserer and myirmaserver

server/keyshare/keyshareserver/server.go

@@ -115,20 +115,25 @@ func (s *Server) Handler() http.Handler {
 		router.Use(server.LogMiddleware("keyshareserver", opts))
 	}
 
-	// Registration
-	router.Post("/client/register", s.handleRegister)
-
-	// Pin logic
-	router.Post("/users/verify/pin", s.handleVerifyPin)
-	router.Post("/users/change/pin", s.handleChangePin)
-
-	// Keyshare sessions
 	router.Group(func(router chi.Router) {
-		router.Use(s.userMiddleware)
-		router.Use(s.authorizationMiddleware)
-		router.Post("/users/isAuthorized", s.handleValidate)
-		router.Post("/prove/getCommitments", s.handleCommitments)
-		router.Post("/prove/getResponse", s.handleResponse)
+		router.Use(server.SizeLimitMiddleware)
+		router.Use(server.TimeoutMiddleware(nil, server.WriteTimeout))
+
+		// Registration
+		router.Post("/client/register", s.handleRegister)
+
+		// Pin logic
+		router.Post("/users/verify/pin", s.handleVerifyPin)
+		router.Post("/users/change/pin", s.handleChangePin)
+
+		// Keyshare sessions
+		router.Group(func(router chi.Router) {
+			router.Use(s.userMiddleware)
+			router.Use(s.authorizationMiddleware)
+			router.Post("/users/isAuthorized", s.handleValidate)
+			router.Post("/prove/getCommitments", s.handleCommitments)
+			router.Post("/prove/getResponse", s.handleResponse)
+		})
 	})
 
 	// IRMA server for issuing myirma credential during registration

server/keyshare/myirmaserver/server.go

@@ -87,30 +87,35 @@ func (s *Server) Handler() http.Handler {
 
 	router.Use(cors.New(corsOptions).Handler)
 
-	// Login/logout
-	router.Post("/login/irma", s.handleIrmaLogin)
-	router.Post("/login/email", s.handleEmailLogin)
-	router.Post("/login/token/candidates", s.handleGetCandidates)
-	router.Post("/login/token", s.handleTokenLogin)
-	router.Post("/logout", s.handleLogout)
+	router.Group(func(router chi.Router) {
+		router.Use(server.SizeLimitMiddleware)
+		router.Use(server.TimeoutMiddleware(nil, server.WriteTimeout))
 
-	// Email verification
-	router.Post("/verify", s.handleVerifyEmail)
+		// Login/logout
+		router.Post("/login/irma", s.handleIrmaLogin)
+		router.Post("/login/email", s.handleEmailLogin)
+		router.Post("/login/token/candidates", s.handleGetCandidates)
+		router.Post("/login/token", s.handleTokenLogin)
+		router.Post("/logout", s.handleLogout)
 
-	// Session management
-	router.Post("/checksession", s.handleCheckSession)
+		// Email verification
+		router.Post("/verify", s.handleVerifyEmail)
 
-	router.Group(func(router chi.Router) {
-		router.Use(s.sessionMiddleware)
+		// Session management
+		router.Post("/checksession", s.handleCheckSession)
 
-		// User account data
-		router.Get("/user", s.handleUserInfo)
-		router.Get("/user/logs/{offset}", s.handleGetLogs)
-		router.Post("/user/delete", s.handleDeleteUser)
+		router.Group(func(router chi.Router) {
+			router.Use(s.sessionMiddleware)
 
-		// Email address management
-		router.Post("/email/add", s.handleAddEmail)
-		router.Post("/email/remove", s.handleRemoveEmail)
+			// User account data
+			router.Get("/user", s.handleUserInfo)
+			router.Get("/user/logs/{offset}", s.handleGetLogs)
+			router.Post("/user/delete", s.handleDeleteUser)
+
+			// Email address management
+			router.Post("/email/add", s.handleAddEmail)
+			router.Post("/email/remove", s.handleRemoveEmail)
+		})
 	})
 
 	// IRMA session server