Mercurial > p > roundup > code
comparison roundup/configuration.py @ 5717:cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
Generic rate limit mechanism added. Deployed for web page
logins. Default is 3 login attempts/minute for a user. After which one
login attempt every 20 seconds can be done.
Uses gcra algorithm so all I need to store is a username and timestamp
in the one time key database. This does mean I don't have a list of
all failed login attempts as part of the rate limiter.
Set up config setting as well so admin can tune the rate. Maybe 1
every 10 seconds is ok at a site with poor typists who need 6 attempts
to get the password right 8-).
The gcra method can also be used to limit the rest and xmlrpc
interfaces if needed. The mechanism I added also supplies a status
method that calculates the expected values for http headers returned
as part of rate limiting.
Also tests added to test all code paths I hope.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 11 May 2019 17:24:58 -0400 |
| parents | c7dd1cae3416 |
| children | e199d0ae4a25 |
comparison
equal
deleted
inserted
replaced
| 5716:42a713e36def | 5717:cad18de2b988 |
|---|---|
| 716 "Whether to use HTTP Basic Authentication, if present.\n" | 716 "Whether to use HTTP Basic Authentication, if present.\n" |
| 717 "Roundup will use either the REMOTE_USER or HTTP_AUTHORIZATION\n" | 717 "Roundup will use either the REMOTE_USER or HTTP_AUTHORIZATION\n" |
| 718 "variables supplied by your web server (in that order).\n" | 718 "variables supplied by your web server (in that order).\n" |
| 719 "Set this option to 'no' if you do not wish to use HTTP Basic\n" | 719 "Set this option to 'no' if you do not wish to use HTTP Basic\n" |
| 720 "Authentication in your web interface."), | 720 "Authentication in your web interface."), |
| 721 (IntegerNumberOption, 'login_attempts_min', "3", | |
| 722 "Limit login attempts per user per minute to this number.\n" | |
| 723 "By default the 4th login attempt in a minute will notify\n" | |
| 724 "the user that they need to wait 20 seconds before trying to\n" | |
| 725 "log in again. This limits password guessing attacks and\n" | |
| 726 "shouldn't need to be changed.\n"), | |
| 721 (SameSiteSettingOption, 'samesite_cookie_setting', "Lax", | 727 (SameSiteSettingOption, 'samesite_cookie_setting', "Lax", |
| 722 """Set the mode of the SameSite cookie option for | 728 """Set the mode of the SameSite cookie option for |
| 723 the session cookie. Choices are 'Lax' or | 729 the session cookie. Choices are 'Lax' or |
| 724 'Strict'. 'None' can be used to suppress the | 730 'Strict'. 'None' can be used to suppress the |
| 725 option. Strict mode provides additional security | 731 option. Strict mode provides additional security |