-
Notifications
You must be signed in to change notification settings - Fork 260
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to limit rate on login API #440
Comments
We need to add |
I don't like captcha solution. We should use recaptcha on frontend and limit api calls by Rack Attack |
Agreed with you, please create an additional issue for adding Rack::Attack |
why did you closed @calj |
@mod Request with Rack Attack is here https://github.com/rubykube/barong/pull/468 |
Implemented at 1.8.22 |
Ability to limit rate on login API
A malicious user tries to brute-force the login form and login API using thousands of requests.
Implementation suggestion
Study the optional Capcha on login: https://github.com/rubykube/barong/issues/356
We can count Failed login attempts, and last fail login attempts time.
disregarding IP and cookies, this is a mysql based counter that will increment for each consecutive login failed, but reset on first successful login.
After 5 failed login attempts we will reject any login attempt during 10 minutes.
if after 10 minutes login was successful failed login attempted is reset.
The text was updated successfully, but these errors were encountered: