Mercurial > p > roundup > code
diff roundup/configuration.py @ 5717:cad18de2b988
issue2550949: Rate limit password guesses/login attempts.
Generic rate limit mechanism added. Deployed for web page
logins. Default is 3 login attempts/minute for a user. After which one
login attempt every 20 seconds can be done.
Uses gcra algorithm so all I need to store is a username and timestamp
in the one time key database. This does mean I don't have a list of
all failed login attempts as part of the rate limiter.
Set up config setting as well so admin can tune the rate. Maybe 1
every 10 seconds is ok at a site with poor typists who need 6 attempts
to get the password right 8-).
The gcra method can also be used to limit the rest and xmlrpc
interfaces if needed. The mechanism I added also supplies a status
method that calculates the expected values for http headers returned
as part of rate limiting.
Also tests added to test all code paths I hope.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 11 May 2019 17:24:58 -0400 |
| parents | c7dd1cae3416 |
| children | e199d0ae4a25 |
line wrap: on
line diff
--- a/roundup/configuration.py Sun Apr 28 18:44:05 2019 -0400 +++ b/roundup/configuration.py Sat May 11 17:24:58 2019 -0400 @@ -718,6 +718,12 @@ "variables supplied by your web server (in that order).\n" "Set this option to 'no' if you do not wish to use HTTP Basic\n" "Authentication in your web interface."), + (IntegerNumberOption, 'login_attempts_min', "3", + "Limit login attempts per user per minute to this number.\n" + "By default the 4th login attempt in a minute will notify\n" + "the user that they need to wait 20 seconds before trying to\n" + "log in again. This limits password guessing attacks and\n" + "shouldn't need to be changed.\n"), (SameSiteSettingOption, 'samesite_cookie_setting', "Lax", """Set the mode of the SameSite cookie option for the session cookie. Choices are 'Lax' or