Draft: Add error page for too many logins (!2468) · Merge requests · foodsharing-dev / foodsharing

Stefan C requested to merge login_rate_limit into master Nov 06, 2022

What does this MR do?

Add a error page if you exceed the login rate limit. This will prevent password brute-force attacks.

I allow 5 Requests per second, and a burst of 10 requests.

Then the rate-limit.html page is shown.

After 50 failures, the IP is banned for 5 minutes and cannot access our server anymore. The counter is reset after 1 hour.

How confident are you it won't break things if deployed?

sure

When deployed, we should have an eye on it. The only risk i see are Carrier-grade NAT that don't support IPv6. The number of blocked hosts will be shown here. If there are many false positives, I will increase the rate-limit.

Related MR

foodsharing-ansible!10 (merged)

How to test

already active on beta - just try to log in often, and you will get a 429

seq 10 | xargs -P 10 -n 1 curl -X POST -H "Content-Type: application/json" -d 'test' https://beta.foodsharing.de/api/user/login

Checklist

added a test, or explain why one is not needed/possible...
no unrelated changes
asked someone for a code review
set a "for:" label to indicate who will be affected by this change
added an entry to CHANGELOG.md
added a short text that can be used in the release notes

Release notes text in German

Einführung einer Begrenzung für Login versuche

Edited Nov 06, 2022 by Stefan C

Draft: Add error page for too many logins