search

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
45.03k stars 5.49k forks source link

Ratelimiting user logins #21906

Open lunny opened 1 year ago

lunny commented 1 year ago

Feature Description

When a user inputs wrong password several times, Gitea should lock x minutes from that session to login again.

Screenshots

No response

silverwind commented 1 year ago

I suggest a high default like 10 logins in a 5 minute window because nothing is more obnoxious than when you're trying a few passwords that the site rate limits the retries too early. Ideally timeout should exponentially increase after limit is hit.

What should the limit be based upon? IP address?

techknowlogick commented 1 year ago

@silverwind yeah, IP because if you do it by username you could essentially lock out users by failing to log in as them a few times.

techknowlogick commented 1 year ago

I have a very rough PR for this here: https://github.com/go-gitea/gitea/pull/21181

Edit, oh lol I forgot you knew about that one already.

silverwind commented 1 year ago

I totally forgot about that one 😉

eloydegen commented 1 year ago

A CAPTCHA would be the best method in my view, otherwise there is still a risk of getting locked out by an attacker when something like Carrier Grade NAT is involved, although I'd see that as low risk.

lunny commented 1 year ago

Close since login with CAPTCHA has been implemented.

techknowlogick commented 1 year ago

CAPTCHAs aren't accessible, and so ratelimiting could provide an alternative

silverwind commented 1 year ago

We can offer both options, yes.