Add rate limiter for login endpoint #4062
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
f2c-ci-robot
bot
added
release-note
Codecov Report
@@ Coverage Diff @@
## main #4062 +/- ##
============================================
- Coverage 60.56% 60.22% -0.34%
+ Complexity 2386 2385 -1
============================================
Files 356 357 +1
Lines 12356 12392 +36
Branches 894 892 -2
============================================
- Hits 7483 7463 -20
- Misses 4432 4492 +60
+ Partials 441 437 -4
|
|
once this PR is merged, i will open a PR adding rate limiter for the comment endpoint, as we discussed in #4044 |
|
How should the login page display error messages? 
|
Thanks for reminding me. I made some changes to support unified error response for login endpoint, please see: {
"type": "https://halo.run/probs/invalid-credential",
"title": "无效凭据",
"status": 401,
"detail": "用户名或密码错误。",
"instance": "http://localhost:8090/login",
"requestId": "ab463fb8-431",
"timestamp": "2023-06-14T07:51:09.529533Z"
}{
"type": "https://halo.run/probs/request-not-permitted",
"title": "请求限制",
"status": 429,
"detail": "请求过于频繁,请稍候再试。",
"instance": "http://localhost:8090/login",
"requestId": "0b14362b-434",
"timestamp": "2023-06-14T07:51:31.110746Z"
} |
Signed-off-by: Ryan Wang <i@ryanc.cc>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: guqing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
f2c-ci-robot
bot
added
approved
f2c-ci-robot
bot
removed
lgtm
f2c-ci-robot bot
pushed a commit
that referenced
this pull request
Jun 21, 2023
…ted (#4101) #### What type of PR is this? /kind bug /area core #### What this PR does / why we need it: This is a bug introduced from #4062. I have overridden onAuthenticationSuccess to create rate limiter in advance instead of invoking `securityContextRepository#save` before. See #4099 (comment) for more. #### Special notes for your reviewer: 1. Try to log in with incorrect password three times 2. Log in with correct password and check if the response headers contain `Set-Cookie` #### Does this PR introduce a user-facing change? ```release-note None ```
Closed
Open
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind feature
/area core
What this PR does / why we need it:
This PR introduces https://github.com/resilience4j/resilience4j to archive the feature. The login endpoint has limited login failures at a rate of 3 per minute.
See #4044 for more.
Which issue(s) this PR fixes:
Fixes #4044
Special notes for your reviewer:
Does this PR introduce a user-facing change?