-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add optional ThrottlingListener to throttle two factor attempts #165
Conversation
Given this is a colleague of mine, I think this is a good idea :) Just a little heads-up: Symfony 6.2 introduced peekable rate limiters in order to reduce load on the limiter/lock systems: symfony/symfony#46110 It would be a good idea to use them in this listener for Symfony 6.2 applications (this can be checked using |
Could make sense to add this to the bundle. I have this page in the documentation for ages, but I don't know how many people actually read and do it. I think it makes sense to encourage people to adopt good security practices by adding an out-of-the-box solution. Two things that I'm currently concerned about:
|
I agree with the 2 points you raised @scheb, and I tried to implement it like that. I added |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Necessary, so that I can consider this for merge:
- Fix code style issues
- Documentation for the new configuration setting
- Test coverage
use Symfony\Component\HttpKernel\Exception\TooManyRequestsHttpException; | ||
use Symfony\Component\RateLimiter\RateLimiterFactory; | ||
|
||
final class ThrottlingListener implements EventSubscriberInterface |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove the final
keyword and add PHPDoc @final
(check other classes for reference). That's how I do it in the library to keep myself the ability to mock things if necessary.
I'm reading up on Symfony a bit and looking at some code to dig into the concepts and ecosystem and came across this, so I'm sorry if I am a bit off in some technical details. The throttle addresses $rateLimiter = $this->rateLimiterFactory->create($event->getToken()->getUserIdentifier()); This highly depends on the rate limiter and code generator configuration and implementation. Given a relatively short 2FA code and simple code (i.e. 6 digit) and some attempts available, access to accounts could possibly be gained with several cloud providers, proxy services etc. (Example bug bounty writeup for an Instagram 2FA brute force rate limit issue) |
Closing due to inactivity. |
Description
We recently had our platform pentested and one of the findings was that two factor codes were able to be brute forced by an attacker. In our case, quite easily in fact, because we are using TOTP with 6 digit codes. I added this listener to our core library, and now all our applications are protected from brute forcing the two factor codes. I thought it might be nice to (optionally) add this to this bundle. Let me know what you think. If you think it's a good idea, I will add a unit test.