Open gimenete opened 7 years ago
reCAPTCHA was added, but we might want to implement other mechanisms.
You might want to increase the response time slightly with every incorrect attempt as well.
Yeah, agreed.
I've looked to this module for in-memory rate limiting: https://github.com/jhurliman/node-rate-limiter for rate-limiting.
And these docs for using redis for rate limiting: https://redis.io/commands/incr#pattern-rate-limiter-1
The first step would be to just add rate limiting in nginx through: limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;
for example.
We could advice on that.
We might not need to hit the actual app for this.
It would also make sense to cache the JWTs in redis, and then a quick check can filter out most unauthorized requests without having to decode or verify any session IDs
There should be protection agains brute force attacks by slowing down the server:
We need to store some counters either in memory (default) or redis (opt-in feature that would allow multiple server instances having the same counters).