couchdb icon indicating copy to clipboard operation
couchdb copied to clipboard
verified publisher icon apache

Temporary account lockout for repeated auth failure

Open rnewson opened this issue 1 year ago • 1 comments

Overview

Enhance couchdb to efficiently reject requests for a given user if repeated requests have failed for authentication reasons, from the same IP address. This helps slow brute-force password attacks and is especially helpful if each authentication attempt is very expensive (pbkdf2 with a high iteration count, typically).

Testing recommendations

will be covered by automated tests

Related Issues or Pull Requests

Checklist

  • [x] Code is written and works correctly
  • [x] Changes are covered by tests
  • [x] Any new configurable parameters are documented in rel/overlay/etc/default.ini
  • [ ] Documentation changes were made in the src/docs folder
  • [ ] Documentation changes were backported (separated PR) to affected branches

rnewson avatar Apr 17 '24 16:04 rnewson

Would couch_auth_lock[out].erl be a clearer name for the module instead of couch_lockout.erl?

lockout is its own thing, e.g. https://en.wikipedia.org/wiki/Lockout_%28industry%29

janl avatar Apr 18 '24 12:04 janl