@@ -0,0 +1 @@ | |||||
Tighten the login ratelimit defaults. |
@@ -1518,11 +1518,11 @@ rc_registration_token_validity: | |||||
This option specifies several limits for login: | This option specifies several limits for login: | ||||
* `address` ratelimits login requests based on the client's IP | * `address` ratelimits login requests based on the client's IP | ||||
address. Defaults to `per_second: 0.17`, `burst_count: 3`. | |||||
address. Defaults to `per_second: 0.003`, `burst_count: 5`. | |||||
* `account` ratelimits login requests based on the account the | * `account` ratelimits login requests based on the account the | ||||
client is attempting to log into. Defaults to `per_second: 0.17`, | |||||
`burst_count: 3`. | |||||
client is attempting to log into. Defaults to `per_second: 0.03`, | |||||
`burst_count: 5`. | |||||
* `failed_attempts` ratelimits login requests based on the account the | * `failed_attempts` ratelimits login requests based on the account the | ||||
client is attempting to log into, based on the amount of failed login | client is attempting to log into, based on the amount of failed login | ||||
@@ -87,9 +87,18 @@ class RatelimitConfig(Config): | |||||
defaults={"per_second": 0.1, "burst_count": 5}, | defaults={"per_second": 0.1, "burst_count": 5}, | ||||
) | ) | ||||
# It is reasonable to login with a bunch of devices at once (i.e. when | |||||
# setting up an account), but it is *not* valid to continually be | |||||
# logging into new devices. | |||||
rc_login_config = config.get("rc_login", {}) | rc_login_config = config.get("rc_login", {}) | ||||
self.rc_login_address = RatelimitSettings(rc_login_config.get("address", {})) | |||||
self.rc_login_account = RatelimitSettings(rc_login_config.get("account", {})) | |||||
self.rc_login_address = RatelimitSettings( | |||||
rc_login_config.get("address", {}), | |||||
defaults={"per_second": 0.003, "burst_count": 5}, | |||||
) | |||||
self.rc_login_account = RatelimitSettings( | |||||
rc_login_config.get("account", {}), | |||||
defaults={"per_second": 0.003, "burst_count": 5}, | |||||
) | |||||
self.rc_login_failed_attempts = RatelimitSettings( | self.rc_login_failed_attempts = RatelimitSettings( | ||||
rc_login_config.get("failed_attempts", {}) | rc_login_config.get("failed_attempts", {}) | ||||
) | ) | ||||