Audit changes.

hub/handlers.go

@@ -3,7 +3,9 @@ package hub
 import (
 	"encoding/json"
 	"log"
+	"math/rand/v2"
 	"net/http"
+	"time"
 	"vppn/hub/api"
 	"vppn/hub/errs"
 	"vppn/m"
@@ -26,6 +28,12 @@ func (a *App) _signin(s *api.Session, w http.ResponseWriter, r *http.Request) er
 }
 
 func (a *App) _signinSubmit(s *api.Session, w http.ResponseWriter, r *http.Request) error {
+	if !a.signInLock.TryLock(r.RemoteAddr) {
+		time.Sleep(time.Duration(rand.Int64N(int64(4 * time.Second))))
+		return errs.ErrNotAuthorized
+	}
+	defer a.signInLock.Unlock(r.RemoteAddr)
+
 	var pwd string
 	err := webutil.NewFormScanner(r.Form).
 		Scan("Password", &pwd).
@@ -36,8 +44,10 @@ func (a *App) _signinSubmit(s *api.Session, w http.ResponseWriter, r *http.Reque
 
 	sess, err := a.api.Session_SignIn(pwd)
 	if err != nil {
+		time.Sleep(time.Duration(rand.Int64N(int64(4 * time.Second))))
 		return err
 	}
+
 	a.setCookie(w, sessionIDCookieName, sess.SessionID)
 
 	return a.redirect(w, r, "/")