Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Throttling fix & Add protection against login brute forcing #2685

Merged
merged 1 commit into from
Oct 25, 2024

Conversation

pglombardo
Copy link
Owner

@pglombardo pglombardo commented Oct 25, 2024

Description

This PR fixes #2684 and enables login brute force protections:

  • Throttle POST requests to /users/sign_in by email param
  • Limit POST requests to /users/sign_in to 5 per 20 seconds

These changes also mean that you can now disable throttling entirely by commenting out the throttling.minute and throttling.second values in settings.yml.

Related Issue

#2684

Type of Change

  • 📚 Examples / docs / tutorials / dependencies update
  • 🔧 Bug fix (non-breaking change which fixes an issue)
  • 🥂 Improvement (non-breaking change which improves an existing feature)
  • 🚀 New feature (non-breaking change which adds functionality)
  • 💥 Breaking change (fix or feature that would cause existing functionality to change)
  • 🔐 Security fix

Checklist

  • I've written tests (if applicable) for all new methods and classes that I created. (rake test)
  • I've added documentation as necessary so users can easily use and understand this feature/fix.

@pglombardo pglombardo merged commit ff39442 into master Oct 25, 2024
5 checks passed
@pglombardo pglombardo deleted the fix-2684 branch October 25, 2024 11:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Rate Throttling Throws Error
1 participant