gimenete
commented
7 years ago reCAPTCHA was added, but we might want to implement other mechanisms.
Open gimenete opened 7 years ago
gimenete
commented
7 years ago reCAPTCHA was added, but we might want to implement other mechanisms.
callaars
commented
7 years ago You might want to increase the response time slightly with every incorrect attempt as well.
gimenete
commented
7 years ago Yeah, agreed.
I've looked to this module for in-memory rate limiting: https://github.com/jhurliman/node-rate-limiter for rate-limiting.
And these docs for using redis for rate limiting: https://redis.io/commands/incr#pattern-rate-limiter-1
callaars
commented
7 years ago The first step would be to just add rate limiting in nginx through: limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s; for example.
We could advice on that.
callaars
commented
7 years ago We might not need to hit the actual app for this.
chadfurman
commented
6 years ago It would also make sense to cache the JWTs in redis, and then a quick check can filter out most unauthorized requests without having to decode or verify any session IDs
There should be protection agains brute force attacks by slowing down the server:
We need to store some counters either in memory (default) or redis (opt-in feature that would allow multiple server instances having the same counters).