mirror of
https://github.com/zitadel/zitadel.git
synced 2025-12-22 23:46:44 +00:00
8529ebdabc
# Which Problems Are Solved While the lockout policy was correctly applied on the session API and other authentication and management endpoints , it had no effect on the user service v2 endpoints. # How the Problems Are Solved - Correctly apply lockout policy on the user service v2 endpoints. - Added tar pitting to auth factor checks (authentication and management API) to prevent brute-force attacks or denial of service because of user lockouts. - Tar pitting is not active if `IgnoreUnknownUsername` option is active to prevent leaking information whether a user exists or not. # Additional Changes None # Additional Context - requires backports * cleanup (cherry picked from commitb8db8cdf9c) (cherry picked from commitd3713dfaed)