Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Too many attempts when repeatedly logging in with correct password #8736

Open
jasongi-actu opened this issue Oct 22, 2018 · 6 comments

Comments

Projects
None yet
6 participants
@jasongi-actu
Copy link

commented Oct 22, 2018

  • Your browser and the version: N/A
  • Your operating system: Mac OSX
  • Your databases: Postgres
  • Metabase version: (e.x. 0.30.4)
  • Metabase hosting environment: Docker
  • Metabase internal database: Postgres

I am currently automating some metabase things with the API, which includes logging in with the api/session endpoint. I have noticed that eventually if I run the script too many times sequentially, my account gets locked even though I've logged in with the correct password each time. A suggested fix would be to only increment the login attempt counter if the password is incorrect.

@senior

This comment has been minimized.

Copy link
Contributor

commented Oct 22, 2018

I added an environment variable MB_DISABLE_SESSION_THROTTLE to disable that session throttling. It's not exactly what you are asking for, but I used to to help in load testing, as a part of #8574. It has been merged and will be included with 0.31.0.

@mazameli

This comment has been minimized.

Copy link
Contributor

commented Oct 24, 2018

@senior Can we say this is resolved by #8574?

@salsakran

This comment has been minimized.

Copy link
Contributor

commented Oct 24, 2018

@jasongi-actu How many times are you running the script and why don't you cache session credentials?

I'm inclined to think this is a pretty niche issue, and that for development MB_DISABLE_SESSION_THROTTLE should suffice.

@jasongi-actu

This comment has been minimized.

Copy link
Author

commented Oct 24, 2018

I'm not sure MB_DISABLE_SESSION_THROTTLE solves the issue. I'm assuming that will disable throttling even for incorrect logins? Not really acceptable on a production instance. I can (and probably will) end up caching the session token between runs of the script, however I still think this is a bug that should be fixed.

@camsaul

This comment has been minimized.

Copy link
Member

commented Oct 25, 2018

I would definitely recommend caching session credentials and then only logging in again when you get Unauthorized response codes

@salsakran salsakran added the API label Nov 6, 2018

@Swizz

This comment has been minimized.

Copy link

commented Nov 30, 2018

I am in the same situation as @jasongi-actu.
Working on scripts to manage multiple metabase instant.
To make the things properly we log on then log out, once the script is done.

MB_DISABLE_SESSION_THROTTLE seem to do not solve the issue.

I understand the security concerns, but the POST /api/session must not throttle requests on succeed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.