ashpie/swaf
1
0
Fork 0
Code Issues 22 Pull Requests Releases 11 Wiki Activity

Use user id to throttle failed login attempts instead of name

Browse Source 
This allows UserNameComponent to be optional
This commit is contained in:
Alice Gaudon 2021-06-02 16:48:58 +02:00
parent 91410b1a15
commit 533cef5ab8
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/auth/password/PasswordAuthMethod.ts
View File

@ -66,7 +66,7 @@ export default class PasswordAuthMethod implements AuthMethod<PasswordAuthProof>
} catch (e) { } catch (e) {
if (e instanceof AuthError) { if (e instanceof AuthError) {
Throttler.throttle('login_failed_attempts_user', 3, 3 * 60 * 1000, // 3min Throttler.throttle('login_failed_attempts_user', 3, 3 * 60 * 1000, // 3min
<string>user.getOrFail('name'), 1000, 60 * 1000); // 1min user.getOrFail('id').toString(), 1000, 60 * 1000); // 1min
Throttler.throttle('login_failed_attempts_ip', 50, 60 * 1000, // 1min Throttler.throttle('login_failed_attempts_ip', 50, 60 * 1000, // 1min
req.ip, 1000, 3600 * 1000); // 1h req.ip, 1000, 3600 * 1000); // 1h