riverrun
commented
4 years ago First of all, this issue (rate limiting) is beyond the scope of this authentication library. However, I have implemented rate limiting for another open source library, and I can provide a link to that and other useful links.
The commit where I added rate limiting is this one, using the Hammer library, and it was in response to this issue.
There is another rate limiting library called ex_rated, and this blog post can provide you with information about how you could use it in a phoenix app.
If you have any further questions, just let me know.
Problem
Many applications limit failed login attempts by ip address and username.
Solution
I imagine this would happen in the session_controller using the result of Login.verify to store failed attempts in a "failed_attempts" table. Also before calling Login.verify, you'd have a preliminary call to Login.rate_limited?(email, ip_address).
Does this seem like a valid approach? Is there a more accepted approach?