Tweak the login rate limiter

2023-08-20 20:58:51 -07:00 · 2023-08-20 20:58:51 -07:00 · 9f145c2f5e
commit 9f145c2f5e
parent 3f500cd019
1 changed files with 15 additions and 16 deletions
--- a/pkg/controller/account/login.go
+++ b/pkg/controller/account/login.go
@ -28,6 +28,21 @@ func Login() http.HandlerFunc {
 				password = r.PostFormValue("password")
 			)

+			// Rate limit login attempts by email or username they are trying (whether it exists or not).
+			limiter := &ratelimit.Limiter{
+				Namespace:  "login",
+				ID:         username,
+				Limit:      config.LoginRateLimit,
+				Window:     config.LoginRateLimitWindow,
+				CooldownAt: config.LoginRateLimitCooldownAt,
+				Cooldown:   config.LoginRateLimitCooldown,
+			}
+			if err := limiter.Ping(); err != nil {
+				session.FlashError(w, r, err.Error())
+				templates.Redirect(w, r.URL.Path)
+				return
+			}
+
 			// Look up their account.
 			user, err := models.FindUser(username)
 			if err != nil {
@ -41,24 +56,8 @@ func Login() http.HandlerFunc {
 				return
 			}

-			// Rate limit failed login attempts.
-			limiter := &ratelimit.Limiter{
-				Namespace:  "login",
-				ID:         user.ID,
-				Limit:      config.LoginRateLimit,
-				Window:     config.LoginRateLimitWindow,
-				CooldownAt: config.LoginRateLimitCooldownAt,
-				Cooldown:   config.LoginRateLimitCooldown,
-			}
-
 			// Verify password.
 			if err := user.CheckPassword(password); err != nil {
-				if err := limiter.Ping(); err != nil {
-					session.FlashError(w, r, err.Error())
-					templates.Redirect(w, r.URL.Path)
-					return
-				}
-
 				session.FlashError(w, r, "Incorrect username or password.")
 				templates.Redirect(w, r.URL.Path)
 				return