lukas.pupkalipinski/BanGUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

## 28) Login failure delay can enable app-layer DoS

Browse Source
This commit is contained in:
Lukas
2026-04-29 19:02:00 +02:00
parent 1e2576af2a
commit 9072117db3
6 changed files with 119 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Docs/Backend-Development.md
View File

@@ -1907,7 +1907,7 @@ The login endpoint (`POST /api/auth/login`) is protected against brute-force att
**Rate Limit Rules:**
- **5 attempts per 60 seconds** per IP address.
- Requests exceeding the limit return **HTTP 429 Too Many Requests** with a `Retry-After` header.
- Each failed login triggers a 10-second server-side delay (`asyncio.sleep`) to further slow attacks, on top of bcrypt hashing (~100ms).
- Each failed login triggers a progressive server-side delay (exponential back-off, 110 seconds) to further slow attacks, on top of bcrypt hashing (~100ms). The penalty grows with consecutive failures and resets after the rate-limit window expires. Concurrency protection caps the delay when multiple penalty tasks are already running for the same IP.
**IP Extraction (Proxy Safety):**
- When behind nginx, the rate limiter reads the real client IP from `X-Forwarded-For` or `X-Real-IP` headers.