search

kuzzleio / kuzzle

Open-source Back-end, self-hostable & ready to use - Real-time, storage, advanced search - Web, Apps, Mobile, IoT -
https://kuzzle.io
Apache License 2.0
1.44k stars 124 forks source link

Better error messages when too many logins are submitted #1781

Closed scottinet closed 2 years ago

scottinet commented 4 years ago

Description

Kuzzle features a rate limiter, for any API route OTHER THAN auth:login: that particular route is managed separately to prevent spams by anonymous users to disable user logins, which would allow authenticated users to benefit from dedicated rate limiters.

The auth:login limit per second is handled by the limits.loginsPerSecond rc configuration, and is applied per second and per unique network connection.

When the login limit is reached, a standard "too many requests" error is sent back to the client, which can be misleading: since it's handled separately, this error leads customers to think that the problem lies within the rate limiters, which is not the case.

To prevent this, we need a dedicated "too many logins" error (which would still be a HTTP 429 error), to make things clearer for our users.

Possible implementation

Adds a new error in 2-api.json

Throw the error in the funnel when there is too many login attempt

sagarmulchandani commented 4 years ago

Hi @scottinet have made the change as per the requirements mentioned above. You can review the changes in the PR. Do let me know if any additional changes are required upon review.

This PR is part of my contribution towards Hacktoberfest. If upon review it is legible please do add hacktoberfest-accepted label to it. Thank you :)