[RateLimiter][Security] (obsolete) Add an easy way to customize "interval" in the default security.login_throttling #39927
Conversation
…in_throttling"
The only way to customize the default rate-limiter's options of the login_throttling (means fixed_window / 1 minute / 5 tokens) are through a custom limiter, which implies to declare a rate-limiter factory in the "framework.rate_limiter", a service which use this factory etc. It's really heavy just for changing an interval (moreover, 1 minute can be discutable).
In this PullRequest, I just propose to allow an `interval` option.
Example :
```
security:
firewalls:
main:
login_throttling:
max_attempts: 5
interval: '15 minutes'
```
|
Hey! I see that this is your first PR. That is great! Welcome! Symfony has a contribution guide which I suggest you to read. In short:
Review the GitHub status checks of your pull request and try to solve the reported issues. If some tests are failing, try to see if they are failing because of this change. When two Symfony core team members approve this change, it will be merged and you will become an official Symfony contributor! I am going to sit back now and wait for the reviews. Cheers! Carsonbot |
|
Hi @damienfa! Thanks for your time creating this PR. I think such an option makes lots of sense! Are you willing to add a test for this new feature? (I can help if you are unsure how to do this) Also note the failing CS check in "fabbot.io" is related to this PR (there seems to be a trailing whitespace). At last, can you please add a small note to
Lacking time was the main factor (and we have to be careful to mention it only works when using experimental authenticators). I'm happy to review if you propose some docs for this feature. |
carsonbot
changed the title
|
Ok, thanks for your answer.
I will take some time this week-end to fix the failing CS check (fabbot.io)
and try to create some unit-test. Is there a test concerning the
login_throttling feature or configuration ? I haven't find anything about
that in the existing tests (and it's why I didn't implement it).
Thanks,
|
|
Hi! We have a functional test for login throttling here: https://github.com/symfony/symfony/blob/5.x/src/Symfony/Bundle/SecurityBundle/Tests/Functional/FormLoginTest.php#L115 (which uses this config: https://github.com/symfony/symfony/blob/5.x/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/StandardFormLogin/login_throttling.yml) |
|
Hello @wouterj , as discussed I've added some functional test (improving the existing one here with an interval and two more login attempts). Also, I've fixed the fabbot.io check (it was due to a trailing space). However, the Integration test (7.4) is now failing, and I don't understand which relation it has with my commit 🤷🏻♂️ Any help ? |
|
No worries! The failures also occur in the I'll checkout this PR somewhere the coming days. Thanks for your update! |
wouterj
left a comment
wouterj
left a comment
There was a problem hiding this comment.
2 minor comments, looks good otherwise!
Nyholm
left a comment
Nyholm
left a comment
There was a problem hiding this comment.
Thank you for this PR. This is great!
Could you fix the minor things so this can be merged in 5.3?
src/Symfony/Bundle/SecurityBundle/Tests/Functional/FormLoginTest.php
Outdated
Show resolved
Hide resolved
…n provided (Pierrick VIGNAND)
This PR was merged into the 4.4 branch.
Discussion
----------
MockResponse total_time should not be simulated when provided
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets |
| License | MIT
| Doc PR |
When you provide a `total_time` to a MockResponse, it is overriden. It should be simulated only when it is not provided I guess.
Ex: `new MockResponse('{"foo":"bar"}', ['total_time' => 0.4])`
Commits
-------
8dada95 fix: MockResponse total_time should not be simulated when provided
…f is missing (xabbuh) This PR was merged into the 4.4 branch. Discussion ---------- improve exception message if symfony/security-csrf is missing | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | Fix symfony#37452 | License | MIT | Doc PR | Commits ------- 1a26ed4 improve exception message if symfony/security-csrf is missing
…tch-1 # Conflicts: # src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
…in_throttling"
The only way to customize the default rate-limiter's options of the login_throttling (means fixed_window / 1 minute / 5 tokens) are through a custom limiter, which implies to declare a rate-limiter factory in the "framework.rate_limiter", a service which use this factory etc. It's really heavy just for changing an interval (moreover, 1 minute can be discutable).
In this PullRequest, I just propose to allow an `interval` option.
Example :
```
security:
firewalls:
main:
login_throttling:
max_attempts: 5
interval: '15 minutes'
```
…in_throttling"
The only way to customize the default rate-limiter's options of the login_throttling (means fixed_window / 1 minute / 5 tokens) are through a custom limiter, which implies to declare a rate-limiter factory in the "framework.rate_limiter", a service which use this factory etc. It's really heavy just for changing an interval (moreover, 1 minute can be discutable).
In this PullRequest, I just propose to allow an `interval` option.
Example :
```
security:
firewalls:
main:
login_throttling:
max_attempts: 5
interval: '15 minutes'
```
damienfa
changed the title
damienfa
changed the title
|
Sorry, I have to close this merge request. Following this comment I needed to rebase on branch 5.x. |
…al` (in `security.firewalls`) option to change the default throttling interval. (damienfa, wouterj) This PR was merged into the 5.3-dev branch. Discussion ---------- [RateLimiter][Security] Add a `login_throttling.interval` (in `security.firewalls`) option to change the default throttling interval. | Q | A | ------------- | --- | Branch | 5.x | Bug fix | no | New feature | yes | Deprecations | no | License | MIT | Doc PR |⚠️ no doc The only way to customize the default rate-limiter's options of the login_throttling (means fixed_window / 1 minute / 5 tokens) are through a custom limiter, which implies to declare a rate-limiter factory in the "framework.rate_limiter", a service which use this factory etc. It's really heavy just for changing an interval (moreover, 1 minute can be discutable). In this PullRequest, I just propose to allow an `interval` option. Example : ```yaml security: firewalls: main: login_throttling: max_attempts: 5 interval: '15 minutes' ``` See functional tests. 🤷🏻♂️ This pull-request is a copy of [this pull-request ](#39927) that I've created some weeks ago. On the original PR, I just needed to rebase on 5.x to pass the tests (fabbot etc.) but the rebase I've tried runs in a loop of conflicts and I'm stuck. I've never experienced this before... SORRY. Commits ------- d1a0342 Fix tests cc74095 changes rebased
10 participants
The only way to customize the default rate-limiter's options of the login_throttling (means fixed_window / 1 minute / 5 tokens) are through a custom limiter, which implies to declare a rate-limiter factory in the "framework.rate_limiter", a service which use this factory etc. It's really heavy just for changing an interval (moreover, 1 minute can be discutable).
In this PullRequest, I just propose to allow an
intervaloption.Example :