Implement Rate Limiting (Throttling) #11
Comments
|
Would this really be needed since Laravel already offers throttling? Defaults can also easily be overridden by using such in the Controller. |
|
You're right. Most of this is covered by Laravel's build in login throttling. It's not exactly as specified by NIST though. For example, it does not support...
Also it does not provide the ability to fully lock out an account after a number of attempts, as in the following.
|
|
Makes sense. Good idea! |
|
Update: see the following comment. To make integration as seamless as possible, this functionality would require the validation rules to have knowledge of how to check if a user's credentials are valid. This could be achieved via a callback, as follows. $hasValidCredentials = function(Request $request) {
return Auth::attempt(['email' => $request->email, 'password' => $request->password], false, false);
};
$this->validate($request, [
'email' => 'required',
'password' => PasswordRules::login($hasValidCredentails),
]); |
|
Actually, the Rule object does not have direct access to the Request, so it may be best if this is checked outside of the rule and a boolean is passed in, as follows. $hasValidCredentials = Auth::attempt([
'email' => $request->email,
'password' => $request->password,
], false, false);
$this->validate($request, [
'email' => 'required',
'password' => PasswordRules::login($hasValidCredentails),
]); |
We should attempt to implement login rate limiting as part of these validation rules, as described in NIST SP800-63b section 5.2.2.
Source: https://pages.nist.gov/800-63-3/sp800-63b.html#throttle
It would also be useful to provide Artisan commands that will remove login bans / delays entirely or for specific users / IPs.
The text was updated successfully, but these errors were encountered: