Message6471
I implemented a rate limiting library as we probably need it for
the rest and xmlrpc interfaces. This is based on an existing gcra
algorithm I found.
As a test I implemented a limit of 3 web login attempts in 60 seconds.
The user can log in 3 times as fast as they want. On the 4th attempt
within a minute, they get a rejection with:
Logins occurring too fast. Please wait: 20 seconds.
any attempts to log in during those 20 seconds will result in the same
message. The login attempt, even if it has the right password, is ignored.
After 20 seconds the user gets one login attempt and then is blocked for 20
seconds again. If they wait for one minute they can try 3 more attempts.
There is a config setting to change the number of logins/minute.
The one minute interval is hard coded in LoginAction.
Committed on 5717:cad18de2b988. Note this broke a few tests because they
were tripping the rate limit. I managed to fix all of them except the
password migration/update test. I have set that to xfail at the moment as
I can't figure out how to fix it as it doesn't seem to be tripping the
rate limit test. Will ask for assistance on the devel list. |
|
| Date |
User |
Action |
Args |
| 2019-05-12 20:08:16 | rouilj | set | messageid: <1557691696.51.0.511185160266.issue2550949@roundup.psfhosted.org> |
| 2019-05-12 20:08:16 | rouilj | set | recipients:
+ rouilj, ber |
| 2019-05-12 20:08:16 | rouilj | link | issue2550949 messages |
| 2019-05-12 20:08:16 | rouilj | create | |
|