Browse Source

Use user id to throttle failed login attempts instead of name

This allows UserNameComponent to be optional
develop
Alice Gaudon 4 months ago
parent
commit
533cef5ab8
  1. 2
      src/auth/password/PasswordAuthMethod.ts

2
src/auth/password/PasswordAuthMethod.ts

@ -66,7 +66,7 @@ export default class PasswordAuthMethod implements AuthMethod<PasswordAuthProof>
} catch (e) {
if (e instanceof AuthError) {
Throttler.throttle('login_failed_attempts_user', 3, 3 * 60 * 1000, // 3min
<string>user.getOrFail('name'), 1000, 60 * 1000); // 1min
user.getOrFail('id').toString(), 1000, 60 * 1000); // 1min
Throttler.throttle('login_failed_attempts_ip', 50, 60 * 1000, // 1min
req.ip, 1000, 3600 * 1000); // 1h

Loading…
Cancel
Save