Tryton - Issues



Title Limit attempt per IP network
Priority feature Status resolved
Superseder Nosy List ced, pokoli, reviewbot, roundup-bot
Type performance Components trytond, web_user
Assigned To ced Keywords review
Reviews 41031002,41041002
View: 41031002, 41041002

Created on 2018-02-02.11:14:20 by ced, last changed by roundup-bot.

New changeset a2568e305abe by Cédric Krier in branch 'default':
Raise RateLimitException on authenticate
New changeset dce0d8fb3c3f by Cédric Krier in branch 'default':
Add '_request' attribute to Transaction context

New changeset 331f329d4ce0 by Cédric Krier in branch 'default':
Manage 'X-Forwarded' headers from proxies

New changeset ab185912ef8e by Cédric Krier in branch 'default':
Limit authentication attempt per IP network
review41031002 updated at
review41031002 updated at
review41041002 updated at
msg38173 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2018-02-02.13:11:31
Indeed it also misses the limit on count, so I fix it with review41041002
review41031002 updated at
msg38171 (view) Author: [hidden] (pokoli) (Tryton committer) (Tryton translator) Date: 2018-02-02.12:00:30
I think we should also add the limit on the web_user module.
msg38170 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2018-02-02.11:37:46
Also when the server is behind a proxy, we must be sure to take the right remote address. This can be solved by using the werkseug.contrib.fixers.ProxyFix.
msg38169 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2018-02-02.11:17:34
In order to implement this, we need to get the remote address from the request. So I think it is better to have a generic solution which provides those information to all request/transaction. The idea is to add in the context a new keyword '_request' which contain a dictionary with request properties like 'remote_addr', 'http_host', 'scheme' and 'is_secure'.
msg38168 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2018-02-02.11:14:19
A malicious hacker could flood the LoginAttempt table by sending failing request for different logins. Even if the size of the record is limited (issue5381) and the records are purged (issue5377) frequently and it is recommended to use a proxy which should detect and ban such requests, it is still good to limit the number of attempt per IP network.
We must limit per network because with IPv6 people receives usually a network range of 56 from providers. For IPv4 we can limit per IP as they are rare now (which means a range of 32).
Date User Action Args
2018-02-14 19:26:02roundup-botsetmessages: + msg38376
2018-02-14 19:24:25roundup-botsetstatus: testing -> resolved
nosy: + roundup-bot
messages: + msg38375
2018-02-12 17:24:17reviewbotsetmessages: + msg38327
2018-02-06 14:47:28reviewbotsetmessages: + msg38239
2018-02-02 13:15:42reviewbotsetmessages: + msg38174
2018-02-02 13:11:31cedsetreviews: 41031002 -> 41031002,41041002
component: + web_user
messages: + msg38173
2018-02-02 12:21:36reviewbotsetnosy: + reviewbot
messages: + msg38172
2018-02-02 12:00:30pokolisetnosy: + pokoli
messages: + msg38171
2018-02-02 11:46:33cedsetstatus: in-progress -> testing
reviews: 41031002
keyword: + review
2018-02-02 11:37:46cedsetmessages: + msg38170

Showing 10 items. Show all history (warning: this could be VERY long)