Use user id to throttle failed login attempts instead of name

This allows UserNameComponent to be optional
This commit is contained in:
Alice Gaudon 2021-06-02 16:48:58 +02:00
parent 91410b1a15
commit 533cef5ab8

View File

@ -66,7 +66,7 @@ export default class PasswordAuthMethod implements AuthMethod<PasswordAuthProof>
} catch (e) { } catch (e) {
if (e instanceof AuthError) { if (e instanceof AuthError) {
Throttler.throttle('login_failed_attempts_user', 3, 3 * 60 * 1000, // 3min Throttler.throttle('login_failed_attempts_user', 3, 3 * 60 * 1000, // 3min
<string>user.getOrFail('name'), 1000, 60 * 1000); // 1min user.getOrFail('id').toString(), 1000, 60 * 1000); // 1min
Throttler.throttle('login_failed_attempts_ip', 50, 60 * 1000, // 1min Throttler.throttle('login_failed_attempts_ip', 50, 60 * 1000, // 1min
req.ip, 1000, 3600 * 1000); // 1h req.ip, 1000, 3600 * 1000); // 1h