controller icon indicating copy to clipboard operation
controller copied to clipboard
verified publisher icon deis

Proposal: Restrict the number of times a user can fail a login attempt

Open jchauncey opened this issue 9 years ago • 8 comments

Right now we do not restrict the number of times people can fail a login attempt.

jchauncey avatar Mar 21 '16 18:03 jchauncey

Would some kind of rate-limiting feature fix this?

bacongobbler avatar Mar 21 '16 19:03 bacongobbler

I think it depends on how complicated we want to get. Honestly, this probably plays into a larger theme feature which is Org management/security enhancements/(auth/id) management. But I think after 3 or 5 times you are locked out until an admin unlocks you or we trigger an unlock event somehow.

jchauncey avatar Mar 21 '16 19:03 jchauncey

https://www.djangopackages.com/grids/g/antiflood/ here are a few - tho most will want a cache (redis / memcache) of some sort to store login attempts, etc

helgi avatar Jun 10 '16 21:06 helgi

We have a redis component now so the cache is no longer a blocker.

Joshua-Anderson avatar Sep 08 '16 18:09 Joshua-Anderson

That redis component is used for logging - we shouldn't be re-using components all too much. We could do it but then we'd have to do more sanity checking / users / acl kind of dealio so logger doesn't blow up controller cache and other way around

helgi avatar Sep 08 '16 18:09 helgi

True, I was thinking we would use a second database on the redis component or we would deploy the deis-redis component twice, once for logger and once for the controller.

Joshua-Anderson avatar Sep 08 '16 18:09 Joshua-Anderson

Redis has a default of 32 "databases". IIRC logger is only using one, so there's nothing technically stopping us from using another :)

bacongobbler avatar Sep 08 '16 18:09 bacongobbler

This issue was moved to teamhephy/controller#67

Cryptophobia avatar Mar 20 '18 18:03 Cryptophobia