You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm using your middleware to protect our API's login endpoint. When a user successfully logs in, I would like to reset the request counter for that user's IP address. That way, other users on the same network (with the same IP address) isn't punished.
This is particularly important when an API is used by lots of users in an office environment where everybody is logging in from the same IP address.
Currently I have to set the daily attempt limit to the maximum amount of users behind a single IP address times 5 (for example). This makes the login endpoint of the API significantly easier to brute-force using a botnet.
(This is offset by a strong password requirement and a slow server side hashing algorithm, but the high rate limit still makes the API much easier to DDOS with a much smaller botnet)
TLDR: It would be very nice to be able to clear a single key from the storage. This will allow setting much more strict limits.
The text was updated successfully, but these errors were encountered:
Yeah it could become handy. However, I'm afraid I don't have much time at the moment to develop new features...
Don't hesitate to submit us a pull request if you can 👍
I'm using your middleware to protect our API's login endpoint. When a user successfully logs in, I would like to reset the request counter for that user's IP address. That way, other users on the same network (with the same IP address) isn't punished.
This is particularly important when an API is used by lots of users in an office environment where everybody is logging in from the same IP address.
Currently I have to set the daily attempt limit to the maximum amount of users behind a single IP address times 5 (for example). This makes the login endpoint of the API significantly easier to brute-force using a botnet.
(This is offset by a strong password requirement and a slow server side hashing algorithm, but the high rate limit still makes the API much easier to DDOS with a much smaller botnet)
TLDR: It would be very nice to be able to clear a single key from the storage. This will allow setting much more strict limits.
The text was updated successfully, but these errors were encountered: