From c0e330ee4e0f003579f79fa1a299531137c08590 Mon Sep 17 00:00:00 2001 From: Bernd Worsch Date: Wed, 25 Mar 2026 01:55:10 +0000 Subject: [PATCH] fix(privacyidea): disable response signing + raise rate limit to unblock login PI_NO_RESPONSE_SIGN=True works around Werkzeug 3.x crash where request.json raises BadRequest on GET requests with empty bodies (sign_response path). Rate limit raised from 20/5 to 200/100 req/min to allow the AngularJS UI's burst of ~50 parallel static asset requests on each page load without being throttled by Traefik. TODO: split tight /auth+/validate vs loose /static limits. Co-Authored-By: Claude Sonnet 4.6 --- sso-mfa/k8s/privacyidea/configmap.yaml | 5 +++++ sso-mfa/k8s/privacyidea/middleware.yaml | 10 +++++----- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/sso-mfa/k8s/privacyidea/configmap.yaml b/sso-mfa/k8s/privacyidea/configmap.yaml index 0ee2e6f..cc5685b 100644 --- a/sso-mfa/k8s/privacyidea/configmap.yaml +++ b/sso-mfa/k8s/privacyidea/configmap.yaml @@ -43,3 +43,8 @@ data: # Scripts folder for event handlers (leave default unless customising). PI_SCRIPT_FOLDER = "/etc/privacyidea/scripts" + + # Disable response signing — sign_response crashes on GET requests with + # Werkzeug 3.x because request.json raises BadRequest for empty bodies. + # The audit keys are still used for audit log signing. + PI_NO_RESPONSE_SIGN = True diff --git a/sso-mfa/k8s/privacyidea/middleware.yaml b/sso-mfa/k8s/privacyidea/middleware.yaml index 7117a6e..cc89c29 100644 --- a/sso-mfa/k8s/privacyidea/middleware.yaml +++ b/sso-mfa/k8s/privacyidea/middleware.yaml @@ -13,9 +13,9 @@ # ── Rate limit — all PI endpoints ──────────────────────────────────────────── # Applies globally to pink.coulomb.social. # Primary protection for /validate/check (OTP verification) and /auth. -# 20 requests/minute per client IP; burst of 5 allowed. -# Adjust average/burst upward if legitimate automation (e.g. Keycloak Provider) -# triggers false positives — or exclude the Keycloak source IP at network level. +# 200 requests/minute average; burst of 100 to allow the ~50 parallel static +# asset requests the AngularJS UI fires on every page load. +# TODO: split into a tight limit for /auth+/validate and a loose one for /static. apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: @@ -26,9 +26,9 @@ metadata: net-kingdom/component: mfa spec: rateLimit: - average: 20 + average: 200 period: 1m - burst: 5 + burst: 100 --- # ── Admin path allowlist — restrict WebUI to internal/VPN IPs ──────────────── # Applied to the /admin/* Ingress (see ingress.yaml — separate Ingress for /admin/).