limit password logins to 3 per hour per account

liberapay · Sep 21, 2017 · 427f866 · 427f866
1 parent 6aad25b
commit 427f866
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 1 deletion.
diff --git a/liberapay/constants.py b/liberapay/constants.py
@@ -198,6 +198,7 @@ def check_bits(bits):
     'log-in.email': (10, 60*60*24),  # 10 per day
     'log-in.email.not-verified': (2, 60*60*24),  # 2 per day
     'log-in.email.verified': (10, 60*60*24),  # 10 per day
+    'log-in.password': (3, 60*60),  # 3 per hour
 }
 
 SEPA = set("""

diff --git a/liberapay/exceptions.py b/liberapay/exceptions.py
@@ -149,6 +149,14 @@ def msg(self, _):
             "or contact [email protected]."
         )
 
+class TooManyPasswordLogins(LazyResponseXXX):
+    code = 429
+    def msg(self, _):
+        return _(
+            "There have been too many attempts to log in to this account recently, "
+            "please try again in a few hours or log in via email."
+        )
+
 
 class BadPasswordSize(LazyResponse400):
     def msg(self, _):

diff --git a/liberapay/security/authentication.py b/liberapay/security/authentication.py
@@ -7,7 +7,7 @@
 from pando import Response
 
 from liberapay.constants import SESSION, SESSION_TIMEOUT
-from liberapay.exceptions import LoginRequired, TooManyLoginEmails
+from liberapay.exceptions import LoginRequired, TooManyLoginEmails, TooManyPasswordLogins
 from liberapay.models.participant import Participant
 
 
@@ -42,6 +42,7 @@ def sign_in_with_form_data(body, state):
         password = body.pop('log-in.password', None)
         k = 'email' if '@' in id else 'username'
         if password:
+            website.db.hit_rate_limit('log-in.password', k, TooManyPasswordLogins)
             p = Participant.authenticate(
                 k, 'password',
                 id, password,