fix(auth): implement brute-force protection and account lockout#3409
fix(auth): implement brute-force protection and account lockout#3409Daksh7785 wants to merge 1 commit into
Conversation
|
Someone is attempting to deploy a commit to the ritesh Team on Vercel. A member of the Team first needs to authorize it. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary
The
POST /auth/loginendpoint lacked account lockout and exponential backoff mechanisms. This made the application highly susceptible to automated credential-guessing, credential stuffing, and brute-force attacks.Root Cause
The authentication workflow validated each login attempt independently without tracking state or establishing a cooldown period following consecutive failed authentication attempts. It lacked any adaptive response to suspicious patterns.
Solution
defaultdict.(client_ip, email)will lock the user account out for 15 minutes.asyncio.sleepto progressively delay execution of repeated attempts./auth/loginendpoint cleanly, resetting the tracking counter only upon a successful login.Files Changed
backend/main.pytimeanddefaultdict.auth_loginto extract the client IP via FastAPI'sRequest.supabase.auth.sign_in_with_passwordcall.Testing
Impact
Checklist