Issue 9386

Title
Allow trusted client to bypass the wait period when entering the wrong password
Priority
feature
Status
chatting
Nosy list
nicoe, reviewbot, roundup-bot
Assigned to
nicoe
Keywords
review

Created on 2020-06-03.11:15:23 by nicoe, last changed 1 week ago by nicoe.

Messages

Author: [hidden] (nicoe) Tryton committer
Date: 2021-02-22.09:43:30
* Roundup Robot  [2021-02-21 22:25 +0100]: 
>New changeset 090dc40da49d by Cédric Krier in branch 'default':
>Add default value for new device_cookie
>https://hg.tryton.org/trytond/rev/090dc40da49d

Which consumer code is impacted?

I had thought about adding a default value to those functions but
decided not to put them because it would mean that any successful
login would reset the count for unknown devices.
New changeset 6837cd484370 by Cédric Krier in branch 'default':
Add default value for new device_cookie
https://hg.tryton.org/tryton-env/rev/6837cd484370
New changeset 090dc40da49d by Cédric Krier in branch 'default':
Add default value for new device_cookie
https://hg.tryton.org/trytond/rev/090dc40da49d
New changeset 12222c9e5e00 by Nicolas Évrard in branch 'default':
Protect trusted devices against brute force attack
https://hg.tryton.org/tryton-env/rev/12222c9e5e00
New changeset d3a8ed75e4c0 by Nicolas Évrard in branch 'default':
Protect trusted devices against brute force attack
https://hg.tryton.org/trytond/rev/d3a8ed75e4c0
New changeset e4bfb7718b16 by Nicolas Évrard in branch 'default':
Protect trusted devices against brute force attack
https://hg.tryton.org/tryton/rev/e4bfb7718b16
New changeset d10e0a87299d by Nicolas Évrard in branch 'default':
Protect trusted devices against brute force attack
https://hg.tryton.org/sao/rev/d10e0a87299d
Author: [hidden] (nicoe) Tryton committer
Date: 2020-06-03.11:15:22
We get sometimes the remark that the exponential wait in the get_login function when the user enters is useless or should be changed in order to reduce the delay (see issue5375 and other discussions about that on the opensuse bugtracker or in live).

Getting some idea from https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies we think that we could use a random token store on the client side and on the server side in order to reduce the wait for users trying to connect from a client that has already been trusted.

This token would be sent alongside the credentials information and if it matches the one store on the server then the user wouldn't have to wait in order to make another attempt. Of course if the number of attempts reach a defined limit then we will sent a 429 - Too Many Requests.
History
Date User Action Args
2021-02-22 09:43:30nicoesetmessages: + msg64775
status: resolved -> chatting
2021-02-21 22:25:15roundup-botsetmessages: + msg64767
2021-02-21 22:25:04roundup-botsetmessages: + msg64765
2021-02-21 22:22:53cedsetcomponent: + tryton, trytond, sao
2021-02-21 22:22:41cedsetassignedto: nicoe
type: feature request
2021-02-21 16:23:42roundup-botsetmessages: + msg64739
2021-02-21 16:23:34roundup-botsetmessages: + msg64738
2021-02-21 16:23:31roundup-botsetmessages: + msg64737
2021-02-21 16:23:27roundup-botsetmessages: + msg64736
nosy: + roundup-bot
status: chatting -> resolved
2021-02-16 12:10:09reviewbotsetmessages: + msg64636

Showing 10 items. Show all history (warning: this could be VERY long)