Draft: Add error page for too many logins
What does this MR do?
Add a error page if you exceed the login rate limit. This will prevent password brute-force attacks.
I allow 5 Requests per second, and a burst of 10 requests.
Then the rate-limit.html page is shown.
After 50 failures, the IP is banned for 5 minutes and cannot access our server anymore. The counter is reset after 1 hour.
How confident are you it won't break things if deployed?
sure
When deployed, we should have an eye on it. The only risk i see are Carrier-grade NAT that don't support IPv6. The number of blocked hosts will be shown here. If there are many false positives, I will increase the rate-limit.
Related MR
foodsharing-ansible!10 (merged)
How to test
already active on beta - just try to log in often, and you will get a 429
seq 10 | xargs -P 10 -n 1 curl -X POST -H "Content-Type: application/json" -d 'test' https://beta.foodsharing.de/api/user/login
Checklist
-
added a test, or explain why one is not needed/possible... -
no unrelated changes -
asked someone for a code review -
set a "for:" label to indicate who will be affected by this change -
added an entry to CHANGELOG.md
-
added a short text that can be used in the release notes
Release notes text in German
Einführung einer Begrenzung für Login versuche