mirror of
https://github.com/zitadel/zitadel.git
synced 2025-12-23 08:36:47 +00:00
d3713dfaed
# Which Problems Are Solved
While the lockout policy was correctly applied on the session API and other authentication and management endpoints , it had no effect on the user service v2 endpoints.
# How the Problems Are Solved
- Correctly apply lockout policy on the user service v2 endpoints.
- Added tar pitting to auth factor checks (authentication and management API) to prevent brute-force attacks or denial of service because of user lockouts.
- Tar pitting is not active if `IgnoreUnknownUsername` option is active to prevent leaking information whether a user exists or not.
# Additional Changes
None
# Additional Context
- requires backports
* cleanup
(cherry picked from commit b8db8cdf9c)
35 lines
933 B
Go
35 lines
933 B
Go
package systemdefaults
|
|
|
|
import "time"
|
|
|
|
type TarpitConfig struct {
|
|
// After how many failed attempts, the tarpit should start.
|
|
MinFailedAttempts uint64
|
|
// The seconds that will be added per step.
|
|
StepDuration time.Duration
|
|
// The failed attempts that are needed to increase the tarpit by one step.
|
|
StepSize uint64
|
|
// The maximum duration the tarpit can reach.
|
|
MaxDuration time.Duration
|
|
}
|
|
|
|
func (t *TarpitConfig) Tarpit() func(failedCount uint64) {
|
|
return func(failedCount uint64) {
|
|
time.Sleep(t.duration(failedCount))
|
|
}
|
|
}
|
|
|
|
func (t *TarpitConfig) duration(failedCount uint64) time.Duration {
|
|
if failedCount < t.MinFailedAttempts {
|
|
return 0
|
|
}
|
|
// calculate the step we are at
|
|
// every StepSize failed attempts increase the step by one
|
|
step := (failedCount - t.MinFailedAttempts) / t.StepSize
|
|
duration := time.Duration(step) * t.StepDuration
|
|
if duration < t.MaxDuration {
|
|
return duration
|
|
}
|
|
return t.MaxDuration
|
|
}
|