Updated Rack Attack configuration to address vulnerabilities in password updates

DMPRoadmap / roadmap

DCC/UC3 collaboration for a data management planning tool

MIT License

106 stars 109 forks source link

Updated Rack Attack configuration to address vulnerabilities in password updates #3455

Closed johnpinto1 closed 2 months ago

johnpinto1 commented 2 months ago

Changes: The fix involves adding a new Rack Attack rule "profile_updates/ip" and rewriting the body of the rules "password_resets/ip" and "logins/ip" so the the request ip is returned if the rule is triggered.

To Test:

Make 4+ Forgot Password requests in less than 30 secs.
Make 4+ Password updates using the User Profile in 30 secs.

Selection_218

You should get the following message with each test above. Selection_217

johnpinto1 commented 2 months ago

Please hold on this I see I must fix tests and I found a bug.

johnpinto1 commented 2 months ago

Withdrawing until fixed issues mentioned earlier.