Page MenuHomePhabricator

Replace old rate limiting in password login flow with "SystemAction" rate limiting
ClosedPublic

Authored by epriestley on Jul 19 2019, 5:21 PM.

Details

Summary

Depends on D20667. Ref T13343. Password auth currently uses an older rate limiting mechanism, upgrade it to the modern "SystemAction" mechanism.

This mostly just improves consistency, although there are some tangential/theoretical benefits:

  • it's not obvious that making the user log GC very quickly could disable rate limiting;
  • if we let you configure action limits in the future, which we might, this would become configurable for free.
Test Plan
  • With CAPTCHAs off, made a bunch of invalid login attempts. Got rate limited.
  • With CAPTCHAs on, made a bunch of invalid login attempts. Got downgraded to CAPTCHAs after a few.

Diff Detail

Repository
rP Phabricator
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

epriestley created this revision.Jul 19 2019, 5:21 PM
epriestley requested review of this revision.Jul 19 2019, 5:22 PM
epriestley added inline comments.Jul 19 2019, 5:28 PM
src/applications/auth/provider/PhabricatorPasswordAuthProvider.php
258–260

These limits have changed slightly: captcha from "5 per 15 minutes" to "10 per hour", and logins from "32 per 15 minutes" to "100 per hour".

amckinley accepted this revision.Jul 19 2019, 9:43 PM
This revision is now accepted and ready to land.Jul 19 2019, 9:43 PM