[RateLimiter][Security] Allow to use no lock in the rate limiter/login throttling #40284
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
carsonbot
changed the title
chalasr
reviewed
Feb 23, 2021
Member
chalasr
left a comment
chalasr
left a comment
There was a problem hiding this comment.
would be even better with a test :)
...ymfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LoginThrottlingFactory.php
Outdated
Show resolved
Hide resolved
...ymfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LoginThrottlingFactory.php
Outdated
Show resolved
Hide resolved
Seldaek
approved these changes
Feb 24, 2021
Nyholm
requested changes
Feb 24, 2021
Member
Nyholm
left a comment
Nyholm
left a comment
There was a problem hiding this comment.
Thank you for this PR. I like this feature, but I fear it might be a BC break.
src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
Show resolved
Hide resolved
...ymfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LoginThrottlingFactory.php
Outdated
Show resolved
Hide resolved
wouterj
force-pushed
the
rate-limiter-no-lock
branch
from
b33b948 to
61d6233
Compare
Member
Author
|
Thanks for the reviews! Updated UPGRADE and CHANGELOG & added some tests. Status: Needs Review |
wouterj
force-pushed
the
rate-limiter-no-lock
branch
3 times, most recently
from
dbe11a1 to
2224d78
Compare
chalasr
reviewed
Feb 25, 2021
src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/PhpFrameworkExtensionTest.php
Outdated
Show resolved
Hide resolved
Nyholm
approved these changes
Feb 25, 2021
Member
Nyholm
left a comment
Nyholm
left a comment
There was a problem hiding this comment.
Im happy with this PR when CI is green.
src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/PhpFrameworkExtensionTest.php
Outdated
Show resolved
Hide resolved
wouterj
force-pushed
the
rate-limiter-no-lock
branch
2 times, most recently
from
67beb15 to
eed20d0
Compare
wouterj
force-pushed
the
rate-limiter-no-lock
branch
from
eed20d0 to
45be875
Compare
Nyholm
approved these changes
Feb 25, 2021
chalasr
approved these changes
Feb 25, 2021
fabpot
approved these changes
Feb 26, 2021
Member
|
Thank you @wouterj. |
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for disabling lock in rate limiters. This was brought up by @Seldaek. In most cases (e.g. login throttling), it's not critical to strictly avoid even a single overflow of the window/token. At least, it's probably not always worth the extra load on the lock storage (e.g. redis).
It also directly disables locking by default for login throttling. I'm not sure about this, but I feel like this fits the 80% case where it's definitely not needed (and it's easier to use if you don't need to set-up locking first).