Open jchauncey opened 8 years ago
Would some kind of rate-limiting feature fix this?
I think it depends on how complicated we want to get. Honestly, this probably plays into a larger theme feature which is Org management/security enhancements/(auth/id) management. But I think after 3 or 5 times you are locked out until an admin unlocks you or we trigger an unlock event somehow.
https://www.djangopackages.com/grids/g/antiflood/ here are a few - tho most will want a cache (redis / memcache) of some sort to store login attempts, etc
We have a redis component now so the cache is no longer a blocker.
That redis component is used for logging - we shouldn't be re-using components all too much. We could do it but then we'd have to do more sanity checking / users / acl kind of dealio so logger doesn't blow up controller cache and other way around
True, I was thinking we would use a second database on the redis component or we would deploy the deis-redis component twice, once for logger and once for the controller.
Redis has a default of 32 "databases". IIRC logger is only using one, so there's nothing technically stopping us from using another :)
This issue was moved to teamhephy/controller#67
Right now we do not restrict the number of times people can fail a login attempt.