Temporary account lockout for repeated auth failure #5032
Conversation
| @@ -28,7 +28,7 @@ | |||
| -export([cookie_auth_header/2]). | |||
| -export([handle_session_req/1, handle_session_req/2]). | |||
|
|
|||
| -export([authenticate/4, verify_totp/2]). | |||
There was a problem hiding this comment.
apparently not used externally, so I removed the export rather than update the arity.
lockout is its own thing, e.g. https://en.wikipedia.org/wiki/Lockout_%28industry%29 |
rnewson
force-pushed
the
lockout
branch
4 times, most recently
from
a7697f2
to
8ab44e9
Compare
src/couch/src/couch_auth_lockout.erl
Outdated
| -export([is_locked_out/3, lockout/3]). | ||
|
|
||
| is_locked_out(#httpd{} = Req, UserName, UserSalt) -> | ||
| case config:get_boolean("couch_lockout", "enable", true) of |
There was a problem hiding this comment.
Would it make sense now (after renaming to couch_auth_lockout.erl) to put it under the [chttpd_auth] section as lockout key?
There was a problem hiding this comment.
Ah no, maybe not at the moment, because it isn't a cluster wide setting / functionality yet ...
There was a problem hiding this comment.
I'm open to suggestions here. putting the controls under [chttpd_auth] seems reasonable to me. @janl ?
rnewson
force-pushed
the
lockout
branch
4 times, most recently
from
e929e29
to
0bf5fbc
Compare
rnewson
force-pushed
the
lockout
branch
3 times, most recently
from
222a1ab
to
424dda4
Compare
| defp test_couch_auth_lockout_enforcement do | ||
| # exceed the lockout threshold | ||
| for _n <- 1..5 do | ||
| resp = Couch.get("/_all_dbs", | ||
| no_auth: true, | ||
| headers: [authorization: "Basic #{:base64.encode("couch_auth_lockout:baz")}"] | ||
| ) | ||
| assert resp.status_code == 401 | ||
| end |
There was a problem hiding this comment.
Might be worth having a test with a warn mode just validate that code path and that doesn't crash anything?
There was a problem hiding this comment.
ah for sure, I also meant to add a test to prove it forgives you (and goes back to 401)
| ; failures. The account is automatically unlocked at the end of this time, starting | ||
| ; from the _first_ authentication failure. | ||
| ; note: changing this setting requires a couchdb restart. | ||
| ;max_lifetime = 300000 |
There was a problem hiding this comment.
Add a newline to avoid having a red warning marker, and mess with some users editors where it would auto-append it on save later when we update the file again.
Overview
Enhance couchdb to efficiently reject requests for a given user if repeated requests have failed for authentication reasons, from the same IP address. This helps slow brute-force password attacks and is especially helpful if each authentication attempt is very expensive (pbkdf2 with a high iteration count, typically).
Testing recommendations
will be covered by automated tests
Related Issues or Pull Requests
Checklist
rel/overlay/etc/default.inisrc/docsfolder