From f99c62a5d97f94c098424743d314f6363896bf78 Mon Sep 17 00:00:00 2001
From: Alice Gaudon <alice@gaudon.pro>
Date: Sun, 15 Nov 2020 15:49:40 +0100
Subject: [PATCH] Increase login fail per ip throttle limit and jail time

---
 src/auth/password/PasswordAuthMethod.ts | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/auth/password/PasswordAuthMethod.ts b/src/auth/password/PasswordAuthMethod.ts
index 11993d6..c3f053c 100644
--- a/src/auth/password/PasswordAuthMethod.ts
+++ b/src/auth/password/PasswordAuthMethod.ts
@@ -54,10 +54,10 @@ export default class PasswordAuthMethod implements AuthMethod<PasswordAuthProof>
             await this.app.as(AuthComponent).getAuthGuard().authenticateOrRegister(req.getSession(), passwordAuthProof);
         } catch (e) {
             if (e instanceof AuthError) {
-                Throttler.throttle('login_failed_attempts_user', 3, 180000,
-                    <string>user.getOrFail('name'), 1000, 60000);
-                Throttler.throttle('login_failed_attempts_ip', 5, 60000,
-                    req.ip, 1000, 60000);
+                Throttler.throttle('login_failed_attempts_user', 3, 3 * 60 * 1000, // 3min
+                    <string>user.getOrFail('name'), 1000, 60 * 1000); // 1min
+                Throttler.throttle('login_failed_attempts_ip', 50, 60 * 1000, // 1min
+                    req.ip, 1000, 3600 * 1000); // 1h
 
                 if (e instanceof PendingApprovalAuthError) {
                     req.flash('error', 'Your account is still being reviewed.');