Increase login fail per ip throttle limit and jail time

2020-11-15 15:49:40 +01:00 · 2020-11-15 15:49:40 +01:00 · f99c62a5d9
parent 72fe0bbda8
commit f99c62a5d9
1 changed files with 4 additions and 4 deletions
--- a/src/auth/password/PasswordAuthMethod.ts
+++ b/src/auth/password/PasswordAuthMethod.ts
@ -54,10 +54,10 @@ export default class PasswordAuthMethod implements AuthMethod<PasswordAuthProof>
            await this.app.as(AuthComponent).getAuthGuard().authenticateOrRegister(req.getSession(), passwordAuthProof);
        } catch (e) {
            if (e instanceof AuthError) {
-                Throttler.throttle('login_failed_attempts_user', 3, 180000,
-                    <string>user.getOrFail('name'), 1000, 60000);
-                Throttler.throttle('login_failed_attempts_ip', 5, 60000,
-                    req.ip, 1000, 60000);
+                Throttler.throttle('login_failed_attempts_user', 3, 3 * 60 * 1000, // 3min
+                    <string>user.getOrFail('name'), 1000, 60 * 1000); // 1min
+                Throttler.throttle('login_failed_attempts_ip', 50, 60 * 1000, // 1min
+                    req.ip, 1000, 3600 * 1000); // 1h

                if (e instanceof PendingApprovalAuthError) {
                    req.flash('error', 'Your account is still being reviewed.');