From 9f145c2f5e7bcf9ad43130d34723ac905c7d417d Mon Sep 17 00:00:00 2001
From: Noah Petherbridge <root@kirsle.net>
Date: Sun, 20 Aug 2023 20:58:51 -0700
Subject: [PATCH] Tweak the login rate limiter

---
 pkg/controller/account/login.go | 31 +++++++++++++++----------------
 1 file changed, 15 insertions(+), 16 deletions(-)

diff --git a/pkg/controller/account/login.go b/pkg/controller/account/login.go
index 7f2e2f6..3bfc98a 100644
--- a/pkg/controller/account/login.go
+++ b/pkg/controller/account/login.go
@@ -28,6 +28,21 @@ func Login() http.HandlerFunc {
 				password = r.PostFormValue("password")
 			)
 
+			// Rate limit login attempts by email or username they are trying (whether it exists or not).
+			limiter := &ratelimit.Limiter{
+				Namespace:  "login",
+				ID:         username,
+				Limit:      config.LoginRateLimit,
+				Window:     config.LoginRateLimitWindow,
+				CooldownAt: config.LoginRateLimitCooldownAt,
+				Cooldown:   config.LoginRateLimitCooldown,
+			}
+			if err := limiter.Ping(); err != nil {
+				session.FlashError(w, r, err.Error())
+				templates.Redirect(w, r.URL.Path)
+				return
+			}
+
 			// Look up their account.
 			user, err := models.FindUser(username)
 			if err != nil {
@@ -41,24 +56,8 @@ func Login() http.HandlerFunc {
 				return
 			}
 
-			// Rate limit failed login attempts.
-			limiter := &ratelimit.Limiter{
-				Namespace:  "login",
-				ID:         user.ID,
-				Limit:      config.LoginRateLimit,
-				Window:     config.LoginRateLimitWindow,
-				CooldownAt: config.LoginRateLimitCooldownAt,
-				Cooldown:   config.LoginRateLimitCooldown,
-			}
-
 			// Verify password.
 			if err := user.CheckPassword(password); err != nil {
-				if err := limiter.Ping(); err != nil {
-					session.FlashError(w, r, err.Error())
-					templates.Redirect(w, r.URL.Path)
-					return
-				}
-
 				session.FlashError(w, r, "Incorrect username or password.")
 				templates.Redirect(w, r.URL.Path)
 				return