Increase login fail per ip throttle limit and jail time

This commit is contained in:
Alice Gaudon 2020-11-15 15:49:40 +01:00
parent 72fe0bbda8
commit f99c62a5d9

View File

@ -54,10 +54,10 @@ export default class PasswordAuthMethod implements AuthMethod<PasswordAuthProof>
await this.app.as(AuthComponent).getAuthGuard().authenticateOrRegister(req.getSession(), passwordAuthProof); await this.app.as(AuthComponent).getAuthGuard().authenticateOrRegister(req.getSession(), passwordAuthProof);
} catch (e) { } catch (e) {
if (e instanceof AuthError) { if (e instanceof AuthError) {
Throttler.throttle('login_failed_attempts_user', 3, 180000, Throttler.throttle('login_failed_attempts_user', 3, 3 * 60 * 1000, // 3min
<string>user.getOrFail('name'), 1000, 60000); <string>user.getOrFail('name'), 1000, 60 * 1000); // 1min
Throttler.throttle('login_failed_attempts_ip', 5, 60000, Throttler.throttle('login_failed_attempts_ip', 50, 60 * 1000, // 1min
req.ip, 1000, 60000); req.ip, 1000, 3600 * 1000); // 1h
if (e instanceof PendingApprovalAuthError) { if (e instanceof PendingApprovalAuthError) {
req.flash('error', 'Your account is still being reviewed.'); req.flash('error', 'Your account is still being reviewed.');