Skip to content

Commit

Permalink
SECURITY: rate limit user/password login
Browse files Browse the repository at this point in the history
  • Loading branch information
@SamSaffron
SamSaffron committed Sep 25, 2014
1 parent ffa11bd commit d53e016
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions app/controllers/session_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,9 @@ def create
return
end

RateLimiter.new(nil, "login-hr-#{request.remote_ip}", 30, 1.hour).performed!
RateLimiter.new(nil, "login-min-#{request.remote_ip}", 6, 1.minute).performed!

params.require(:login)
params.require(:password)

Expand Down

3 comments on commit d53e016

@eviltrout
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❤️

@everaldo
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would ❤️ to see this feature extracted to the Admin Panel, because I use Discourse with my Students, here in Brazil, and they get locked out because we are all in the same LAN - sharing the same IP.

I hardcoded a new value, but I'm not sure that I can manage to keep updated with Discourse main branch.

@erlend-sh
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @everaldo , I suggest you start a feature topic about this on meta.discourse.org, as we can more easily discuss and track it there. Walk us through your hardcoded changes and we can evaluate them.

Please sign in to comment.