ratelimit: ensure we hit the ip-ratelimit on unsuccesful attempts

against a valid account
2025-04-15 11:47:04 +02:00 · 2023-04-16 11:30:14 +02:00 · 2023-04-16 11:30:14 +02:00 · 21ed7b69a8
commit 21ed7b69a8
parent 775033391a
2 changed files with 2 additions and 0 deletions
--- a/core/admin/mailu/limiter.py
+++ b/core/admin/mailu/limiter.py
@ -71,6 +71,7 @@ class LimitWraperFactory(object):
    def rate_limit_user(self, username, ip, device_cookie=None, device_cookie_name=None, password=''):
        limiter = self.get_limiter(app.config["AUTH_RATELIMIT_USER"], 'auth-user')
        if self.is_subject_to_rate_limits(ip):
+            self.rate_limit_ip(ip, username)
            truncated_password = hmac.new(bytearray(username, 'utf-8'), bytearray(password, 'utf-8'), 'sha256').hexdigest()[-6:]
            if password and (self.storage.get(f'dedup2-{username}-{truncated_password}') > 0):
                return
--- a/towncrier/newsfragments/2772.misc
+++ b/towncrier/newsfragments/2772.misc
@ -1 +1,2 @@
 Always exempt login attempts that use app-tokens from rate-limits
+Ensure that unsuccessful login attempts against a valid account hit the ip-based rate-limit too