Tryton - Issues

 

Issue9386

Title Allow trusted client to bypass the wait period when entering the wrong password
Priority feature Status chatting
Superseder Nosy List nicoe, reviewbot
Type Components
Assigned To Keywords review
Reviews 321511002
View: 321511002

Created on 2020-06-03.11:15:23 by nicoe, last changed by reviewbot.

Messages
review321511002 updated at https://codereview.tryton.org/321511002/#ps298021002
New review321511002 at https://codereview.tryton.org/321511002/#ps321521002
msg58437 (view) Author: [hidden] (nicoe) (Tryton committer) Date: 2020-06-03.11:15:22
We get sometimes the remark that the exponential wait in the get_login function when the user enters is useless or should be changed in order to reduce the delay (see issue5375 and other discussions about that on the opensuse bugtracker or in live).

Getting some idea from https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies we think that we could use a random token store on the client side and on the server side in order to reduce the wait for users trying to connect from a client that has already been trusted.

This token would be sent alongside the credentials information and if it matches the one store on the server then the user wouldn't have to wait in order to make another attempt. Of course if the number of attempts reach a defined limit then we will sent a 429 - Too Many Requests.
History
Date User Action Args
2020-06-24 15:47:55reviewbotsetmessages: + msg58857
2020-06-03 11:30:27reviewbotsetstatus: unread -> chatting
nosy: + reviewbot
messages: + msg58438
2020-06-03 11:30:27reviewbotsetreviews: 321511002
keyword: + review
2020-06-03 11:15:23nicoecreate

Showing 10 items. Show all history (warning: this could be VERY long)