Issue 2551063
Created on 2019-10-06 22:00 by rouilj, last changed 2023-10-07 19:38 by rouilj.
|
| msg6697 |
Author: [hidden] (rouilj) |
Date: 2019-10-06 22:00 |
|
We have rate limiting for login attempts on the web interface. We
should extend this to the xmlrpc and rest endpoints. The API endpoints
are another mechanism for passowrd guessing attacks.
We do have rest rate limiting, but that's to prevent misbehaving
clients with valid credentials from using excessive resource.
This ticket is for limiting connections with invalid credentials.
|
| msg7802 |
Author: [hidden] (rouilj) |
Date: 2023-07-20 00:40 |
|
changeset: 7556:273c8c2b5042
Implemented and documented.
The test suite tests Rest testing via test_liveserver.py
No xmlrpc tests are done. It was manually verified that rate limits on failed login works.
The xmlrpc interface has no valid login rate limiting at this time.
|
| msg7839 |
Author: [hidden] (rouilj) |
Date: 2023-10-07 19:38 |
|
To clrify my last confusing entry:
xmlrpc is failed login rate limited. Unlike the rest interface, there is no
rate limiting on the use of the xmlrpc interface with valid logins.
|
|
| Date |
User |
Action |
Args |
| 2023-10-07 19:55:13 | rouilj | link | issue2551197 superseder |
| 2023-10-07 19:38:28 | rouilj | set | messages:
+ msg7839 |
| 2023-07-20 00:40:13 | rouilj | set | status: open -> fixed
resolution: remind -> fixed
messages:
+ msg7802 |
| 2023-07-17 13:47:53 | rouilj | set | status: new -> open
assignee: rouilj |
| 2023-06-16 01:32:49 | rouilj | set | keywords:
+ rest
components:
+ API |
| 2023-03-14 04:00:25 | rouilj | set | resolution: remind |
| 2019-10-13 21:48:42 | rouilj | set | type: rfe |
| 2019-10-07 09:26:00 | schlatterbeck | set | nosy:
+ schlatterbeck |
| 2019-10-06 22:00:00 | rouilj | create | |
|