Tighten the default rate limit of creating new devices. (#15135)

pull/15139/head
Patrick Cloke 2023-02-22 14:37:18 -05:00 committed by GitHub
parent 6def779a1a
commit 4ed08ff72e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 15 additions and 5 deletions

1
changelog.d/15135.misc Normal file
View File

@ -0,0 +1 @@
Tighten the login ratelimit defaults.

View File

@ -1518,11 +1518,11 @@ rc_registration_token_validity:
This option specifies several limits for login: This option specifies several limits for login:
* `address` ratelimits login requests based on the client's IP * `address` ratelimits login requests based on the client's IP
address. Defaults to `per_second: 0.17`, `burst_count: 3`. address. Defaults to `per_second: 0.003`, `burst_count: 5`.
* `account` ratelimits login requests based on the account the * `account` ratelimits login requests based on the account the
client is attempting to log into. Defaults to `per_second: 0.17`, client is attempting to log into. Defaults to `per_second: 0.03`,
`burst_count: 3`. `burst_count: 5`.
* `failed_attempts` ratelimits login requests based on the account the * `failed_attempts` ratelimits login requests based on the account the
client is attempting to log into, based on the amount of failed login client is attempting to log into, based on the amount of failed login

View File

@ -87,9 +87,18 @@ class RatelimitConfig(Config):
defaults={"per_second": 0.1, "burst_count": 5}, defaults={"per_second": 0.1, "burst_count": 5},
) )
# It is reasonable to login with a bunch of devices at once (i.e. when
# setting up an account), but it is *not* valid to continually be
# logging into new devices.
rc_login_config = config.get("rc_login", {}) rc_login_config = config.get("rc_login", {})
self.rc_login_address = RatelimitSettings(rc_login_config.get("address", {})) self.rc_login_address = RatelimitSettings(
self.rc_login_account = RatelimitSettings(rc_login_config.get("account", {})) rc_login_config.get("address", {}),
defaults={"per_second": 0.003, "burst_count": 5},
)
self.rc_login_account = RatelimitSettings(
rc_login_config.get("account", {}),
defaults={"per_second": 0.003, "burst_count": 5},
)
self.rc_login_failed_attempts = RatelimitSettings( self.rc_login_failed_attempts = RatelimitSettings(
rc_login_config.get("failed_attempts", {}) rc_login_config.get("failed_attempts", {})
) )