New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add rate-limit of TOTP authentication attempts at controller level #28801
Conversation
For anyone curious about this, there is already an IP-based rate-limit on this endpoint, enforced by This is only triggered once the used correctly used their password and are entering their 2FA, so it cant be used to lock out a specific user (unless you know their password, which should not happen). |
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #28801 +/- ##
==========================================
+ Coverage 84.86% 85.15% +0.28%
==========================================
Files 1038 1038
Lines 28169 28361 +192
Branches 4531 4590 +59
==========================================
+ Hits 23906 24150 +244
+ Misses 3103 3047 -56
- Partials 1160 1164 +4 ☔ View full report in Codecov by Sentry. |
c3e165c
to
e3828c3
Compare
We already have IP and user-based rate-limits in our
rack-attack
config, but this adds a stricter per-user rate-limit at the controller level.