Differential D20668

Replace old rate limiting in password login flow with "SystemAction" rate limiting
ClosedPublic
Actions

Authored by epriestley on Jul 19 2019, 5:21 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Tue, Jan 21, 9:31 AM

	Unknown Object (File)
	Fri, Jan 17, 10:21 PM

	Unknown Object (File)
	Tue, Dec 24, 8:41 AM

	Unknown Object (File)
	Dec 21 2024, 5:50 PM

	Unknown Object (File)
	Dec 20 2024, 4:57 PM

	Unknown Object (File)
	Dec 17 2024, 6:03 AM

	Unknown Object (File)
	Dec 15 2024, 8:46 AM

	Unknown Object (File)
	Dec 13 2024, 8:54 AM

Subscribers

None

Details

Reviewers

Maniphest Tasks

T13343: Make "Send a login link to your email address" email include why it was sent to avoid confusion

Commits

rPa75766c0e501: Replace old rate limiting in password login flow with "SystemAction" rate…

Summary

Depends on D20667. Ref T13343. Password auth currently uses an older rate limiting mechanism, upgrade it to the modern "SystemAction" mechanism.

This mostly just improves consistency, although there are some tangential/theoretical benefits:

it's not obvious that making the user log GC very quickly could disable rate limiting;
if we let you configure action limits in the future, which we might, this would become configurable for free.

Test Plan

With CAPTCHAs off, made a bunch of invalid login attempts. Got rate limited.
With CAPTCHAs on, made a bunch of invalid login attempts. Got downgraded to CAPTCHAs after a few.

Diff Detail

Repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

epriestley created this revision.Jul 19 2019, 5:21 PM

Harbormaster completed remote builds in B23162: Diff 49295.Jul 19 2019, 5:22 PM

epriestley requested review of this revision.Jul 19 2019, 5:22 PM

epriestley added a child revision: D20669: Simplify implementation of "SysetemAction->getSystemActionConstant()".Jul 19 2019, 5:27 PM

epriestley added inline comments.Jul 19 2019, 5:28 PM

src/applications/auth/provider/PhabricatorPasswordAuthProvider.php
258–260	These limits have changed slightly: captcha from "5 per 15 minutes" to "10 per hour", and logins from "32 per 15 minutes" to "100 per hour".

amckinley accepted this revision.Jul 19 2019, 9:43 PM

This revision is now accepted and ready to land.Jul 19 2019, 9:43 PM

Closed by commit rPa75766c0e501: Replace old rate limiting in password login flow with "SystemAction" rate… (authored by epriestley). · Explain WhyJul 19 2019, 10:45 PM

This revision was automatically updated to reflect the committed changes.

epriestley added a commit: rPa75766c0e501: Replace old rate limiting in password login flow with "SystemAction" rate….

Revision Contents
Changeset List

Path

Size

src/

__phutil_library_map__.php

applications/

auth/

action/

PhabricatorAuthTryPasswordAction.php

22 lines

PhabricatorAuthTryPasswordWithoutCAPTCHAAction.php

16 lines

provider/

PhabricatorPasswordAuthProvider.php

41 lines

Diff 49308

src/__phutil_library_map__.php

Loading...

src/applications/auth/action/PhabricatorAuthTryPasswordAction.php

Loading...

src/applications/auth/action/PhabricatorAuthTryPasswordWithoutCAPTCHAAction.php

Loading...

src/applications/auth/provider/PhabricatorPasswordAuthProvider.php

Loading...