Browse Source

Use user id to throttle failed login attempts instead of name

This allows UserNameComponent to be optional
develop
Alice Gaudon 2 weeks ago
parent
commit
533cef5ab8
1 changed files with 1 additions and 1 deletions
  1. +1
    -1
      src/auth/password/PasswordAuthMethod.ts

+ 1
- 1
src/auth/password/PasswordAuthMethod.ts View File

@ -66,7 +66,7 @@ export default class PasswordAuthMethod implements AuthMethod<PasswordAuthProof>
} catch (e) {
if (e instanceof AuthError) {
Throttler.throttle('login_failed_attempts_user', 3, 3 * 60 * 1000, // 3min
<string>user.getOrFail('name'), 1000, 60 * 1000); // 1min
user.getOrFail('id').toString(), 1000, 60 * 1000); // 1min
Throttler.throttle('login_failed_attempts_ip', 50, 60 * 1000, // 1min
req.ip, 1000, 3600 * 1000); // 1h


Loading…
Cancel
Save