Roundup Tracker - Issues

Issue 2551063

classification
Rest/Xmlrpc interfaces needs failed login protection
Type: rfe Severity: normal
Components: API Versions:
process
Status: fixed fixed
:
: rouilj : rouilj, schlatterbeck
Priority: : rest

Created on 2019-10-06 22:00 by rouilj, last changed 2023-10-07 19:38 by rouilj.

Messages
msg6697 Author: [hidden] (rouilj) Date: 2019-10-06 22:00
We have rate limiting for login attempts on the web interface. We
should extend this to the xmlrpc and rest endpoints. The API endpoints
are another mechanism for passowrd guessing attacks.

We do have rest rate limiting, but that's to prevent misbehaving
clients with valid credentials from using excessive resource.

This ticket is for limiting connections with invalid credentials.
msg7802 Author: [hidden] (rouilj) Date: 2023-07-20 00:40
changeset:   7556:273c8c2b5042

Implemented and documented.

The test suite tests Rest testing via test_liveserver.py

No xmlrpc tests are done. It was manually verified that rate limits on failed login works.
The xmlrpc interface has no valid login rate limiting at this time.
msg7839 Author: [hidden] (rouilj) Date: 2023-10-07 19:38
To clrify my last confusing entry:

xmlrpc is failed login rate limited. Unlike the rest interface, there is no
rate limiting on the use of the xmlrpc interface with valid logins.
History
Date User Action Args
2023-10-07 19:55:13rouiljlinkissue2551197 superseder
2023-10-07 19:38:28rouiljsetmessages: + msg7839
2023-07-20 00:40:13rouiljsetstatus: open -> fixed
resolution: remind -> fixed
messages: + msg7802
2023-07-17 13:47:53rouiljsetstatus: new -> open
assignee: rouilj
2023-06-16 01:32:49rouiljsetkeywords: + rest
components: + API
2023-03-14 04:00:25rouiljsetresolution: remind
2019-10-13 21:48:42rouiljsettype: rfe
2019-10-07 09:26:00schlatterbecksetnosy: + schlatterbeck
2019-10-06 22:00:00rouiljcreate