-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Throttling on token generation/delivery missing #48
Comments
Indeed. I'm about to implement something that limits a given user to a number of token generation attempts per day to prevent spiralling SMS costs. |
To limit a given user to a number of token generation attempts per day, we can add a new attribute token_generation_per_day_limit to the SideChannelDevice model, which will hold the maximum number of tokens that can be generated per day. We will also add a new method get_token_generation_count() to the model to fetch and return the number of token generation attempts made by the user today. Here's a code snippet that shows how we can achieve this:
This method fetches the current date and returns the number of token generation attempts made by the user on that day. We can then use the token_generation_per_day_limit and get_token_generation_count() methods to enforce the daily limit on token generation attempts in the generate_token() method as follows:
This code will check whether the user has exceeded the token generation limit for the day and raise a custom Throttled exception if the limit has been exceeded. If the limit has not been exceeded, it will call the generate_token() method of the super class to generate the token and reset the throttle if it's a new day. By implementing these changes in the SideChannelDevice model, we can limit the number of token generation attempts made by a given user per day. |
The new SideChannelDevice added a generic way to generate, expire and verify tokens that are sent to the user via another channel. There is also a ThrottlingMixin for throttling the verify calls.
Sometimes, like with SMS, every token costs a bit of money. It would be good to add some generic way to throttle the sending of those tokens in order to limit the costs for the website owner in case of an attack.
I think a good place would be the ThrottlingMixin, but I'm not sure what would be the best way to implement it.
The text was updated successfully, but these errors were encountered: