[FEATURE] Too Many Login Attempts

Question

[FEATURE] Too Many Login Attempts

keslert opened this issue 5 years ago · 1 comments

Problem

Many applications limit failed login attempts by ip address and username.

Solution

I imagine this would happen in the session_controller using the result of Login.verify to store failed attempts in a "failed_attempts" table. Also before calling Login.verify, you'd have a preliminary call to Login.rate_limited?(email, ip_address).

Does this seem like a valid approach? Is there a more accepted approach?

Answer 1 · 2020-05-11T10:12:19.000Z

First of all, this issue (rate limiting) is beyond the scope of this authentication library. However, I have implemented rate limiting for another open source library, and I can provide a link to that and other useful links.

The commit where I added rate limiting is this one, using the Hammer library, and it was in response to this issue.

There is another rate limiting library called ex_rated, and this blog post can provide you with information about how you could use it in a phoenix app.

If you have any further questions, just let me know.