Ability to limit rate on login API

[mod]

Ability to limit rate on login API

A malicious user tries to brute-force the login form and login API using thousands of requests.

Implementation suggestion

Study the optional Capcha on login: https://github.com/rubykube/barong/issues/356

We can count Failed login attempts, and last fail login attempts time.

disregarding IP and cookies, this is a mysql based counter that will increment for each consecutive login failed, but reset on first successful login.

After 5 failed login attempts we will reject any login attempt during 10 minutes.

if after 10 minutes login was successful failed login attempted is reset.

[rxqd]

We need to add Rack::Attack middleware like peatio does. It has good configuration https://github.com/kickstarter/rack-attack/wiki/Advanced-Configuration

[rxqd]

I don't like captcha solution. We should use recaptcha on frontend and limit api calls by Rack Attack

[mod]

Agreed with you, please create an additional issue for adding Rack::Attack but I think we need both.

[mod]

why did you closed @calj

[rxqd]

@mod it was implemented at #467 and closed with that request. It's just devise lockable

[rxqd]

@mod Request with Rack Attack is here https://github.com/rubykube/barong/pull/468

[rxqd]

Implemented at 1.8.22