sentinel icon indicating copy to clipboard operation
sentinel copied to clipboard

Published 20 hours ago verified publisher icon cartalyst

[Question] : How can I use only user throttling?

Open pankitgami opened this issue 9 years ago • 8 comments

I am using sentinel for my Laravel application. I am authenticating the user with Sentinel::authenticate($credential). But when I pass wrong credential for 5 times it checks all the throttling types i.e, "global", "ip" and "user". I want to do only user throttling.

Try 1: I removed global and ip array from config file. I am using custom model for throttling.

'throttling' => [

    'model' => 'Flinnt\ACL\AuthProviders\Sentinel\Throttle\EloquentThrottle',

    /*'global' => [

        'interval' => 900,

        'thresholds' => [
            10 => 1,
            20 => 2,
            30 => 4,
            40 => 8,
            50 => 16,
            60 => 12
        ],

    ],

    'ip' => [

        'interval' => 900,

        'thresholds' => 5,

    ],*/

    'user' => [

        'interval' => 60,

        'thresholds' => 2,

    ],

],

There is no documentation regarding same.

Thanks in advance.

pankitgami avatar Nov 25 '16 06:11 pankitgami

Found an issue: You are providing the default values in IlluminateThrottleRepository. So if I don't provide any key it will take the default value.

Here is your code.

/**
 * The interval which failed logins are checked, to prevent brute force.
 *
 * @var int
 */
protected $globalInterval = 900;

/**
 * The global thresholds configuration array.
 *
 * If an array is set, the key is the number of failed login attempts
 * and the value is the delay in seconds before another login can
 * occur.
 *
 * If an integer is set, it represents the number of attempts
 * before throttling locks out in the current interval.
 *
 * @var int|array
 */
protected $globalThresholds = [
    10 => 1,
    20 => 2,
    30 => 4,
    40 => 8,
    50 => 16,
    60 => 32,
];

/**
 * Cached global throttles collection within the interval.
 *
 * @var \Illuminate\Database\Eloquent\Collection
 */
protected $globalThrottles;

/**
 * The interval at which point one IP address' failed logins are checked.
 *
 * @var int
 */
protected $ipInterval = 900;

/**
 * Works identical to global thresholds, except specific to an IP address.
 *
 * @var int|array
 */
protected $ipThresholds = 5;

/**
 * The cached IP address throttle collections within the interval.
 *
 * @var array
 */
protected $ipThrottles = [];

/**
 * The interval at which point failed logins for one user are checked.
 *
 * @var int
 */
protected $userInterval = 900;

/**
 * Works identical to global and IP address thresholds, regarding a user.
 *
 * @var int|array
 */
protected $userThresholds = 5;

/**
 * The cached user throttle collections within the interval.
 *
 * @var \Illuminate\Database\Eloquent\Collection
 */
protected $userThrottles = [];

At the time of initialization i.e, in service provider, if the key is present then it will set the values to a respective variable, other fields will be initialized with null.

pankitgami avatar Nov 25 '16 07:11 pankitgami

Don't believe it's possible to use only user throttling by default.

You'll need to most likely create your own throttling implementation i guess

/cc @suwardany

brunogaspar avatar Nov 25 '16 12:11 brunogaspar

@brunogaspar Won't this be good feature?? As you mentioned in the documentation, global throttling will lock the whole site. It is a good feature as it prevents DDos attack. But It might be a bad idea to set it as default. We can provide it as optional throttling configuration.

I am inviting you all for discussion on this.

pankitgami avatar Nov 25 '16 13:11 pankitgami

Well, in my opinion what @pankitgami is trying to do should be the default behavior. Just think of people login from the same LAN or cybercafé, that would be a real mess to handle.

Frondor avatar Dec 11 '16 09:12 Frondor

It's a major change that will be addressed in the next version of Sentinel. Concerns are valid, we agree. We don't have an immediate solution for you but will update this ticket once we do. Well done pointing out the limitation.

drsii avatar Dec 11 '16 17:12 drsii

@drsii Is there any way I can help regarding this issue??

pankitgami avatar Dec 12 '16 04:12 pankitgami

There is one workaround for this issue: If you set interval and threshold to 0 it won't check for that throttling.

But it will store unnecessary data to database.

pankitgami avatar Dec 12 '16 05:12 pankitgami

Would the easier way to solve this not be to just create a couple of extra checkpoints based on the ThrottleCheckpoint::checkThrottling method. Splitting this method into 3 different checkpoints i.e. UserThrottleCheckpoint, GlobalThrottleCheckpoint, IpThrottleCheckpoint. This way any of the checkpoints could be toggled on or off. And i think this would be an easier implementation than splitting up the Throttling\IlluminateThrottleRepository or creating a different throttling class.

8633brown avatar Oct 03 '19 01:10 8633brown