Tweak the login rate limiter

This commit is contained in:
Noah Petherbridge 2023-08-20 20:58:51 -07:00
parent 3f500cd019
commit 9f145c2f5e

View File

@ -28,6 +28,21 @@ func Login() http.HandlerFunc {
password = r.PostFormValue("password") password = r.PostFormValue("password")
) )
// Rate limit login attempts by email or username they are trying (whether it exists or not).
limiter := &ratelimit.Limiter{
Namespace: "login",
ID: username,
Limit: config.LoginRateLimit,
Window: config.LoginRateLimitWindow,
CooldownAt: config.LoginRateLimitCooldownAt,
Cooldown: config.LoginRateLimitCooldown,
}
if err := limiter.Ping(); err != nil {
session.FlashError(w, r, err.Error())
templates.Redirect(w, r.URL.Path)
return
}
// Look up their account. // Look up their account.
user, err := models.FindUser(username) user, err := models.FindUser(username)
if err != nil { if err != nil {
@ -41,24 +56,8 @@ func Login() http.HandlerFunc {
return return
} }
// Rate limit failed login attempts.
limiter := &ratelimit.Limiter{
Namespace: "login",
ID: user.ID,
Limit: config.LoginRateLimit,
Window: config.LoginRateLimitWindow,
CooldownAt: config.LoginRateLimitCooldownAt,
Cooldown: config.LoginRateLimitCooldown,
}
// Verify password. // Verify password.
if err := user.CheckPassword(password); err != nil { if err := user.CheckPassword(password); err != nil {
if err := limiter.Ping(); err != nil {
session.FlashError(w, r, err.Error())
templates.Redirect(w, r.URL.Path)
return
}
session.FlashError(w, r, "Incorrect username or password.") session.FlashError(w, r, "Incorrect username or password.")
templates.Redirect(w, r.URL.Path) templates.Redirect(w, r.URL.Path)
return return