Add max number of tries for logins

GJordao / simple-auth

An authentication service that aims to be simple and customisable

MIT License

3 stars 3 forks source link

Add max number of tries for logins #23

Open GJordao opened 3 years ago

GJordao commented 3 years ago

Should be controlled by an env variable
- Should default to 3
Should lock that user account for X time
- Time controlled by env variable
- Default to 2 minutes

GJordao commented 3 years ago

Wondering if we should lock the IP address instead of the account? @MicroAnibal @nneves

On one hand it would be better for the user, if someone is trying to access their account maliciously the user will still be able to login. On the other hand if the attacker has access to multiple IPs they can continue to try

GJordao commented 3 years ago

I found this thread on SO discussing this and I think a mix approach might be the way to go. We block logins from that IP address from that account. I think this makes sense in terms of security and the corner cases where other users in the same IP would block an account would be corner cases. The block would also be time based anyway