Add ratelimiting on login #4821

babolivier · 2019-03-06T19:20:53Z

Add two ratelimiters on login (per-IP address and per-userID).
Fixes #1452

codecov · 2019-03-07T14:29:03Z

Codecov Report

Merging #4821 into develop will decrease coverage by 16.39%.
The diff coverage is 95.83%.

@@             Coverage Diff             @@
##           develop    #4821      +/-   ##
===========================================
- Coverage    75.18%   58.78%   -16.4%     
===========================================
  Files          340      324      -16     
  Lines        34984    33849    -1135     
  Branches      5739     5590     -149     
===========================================
- Hits         26303    19899    -6404     
- Misses        7062    12571    +5509     
+ Partials      1619     1379     -240

erikjohnston

Looks good, apart from a few niggles. Rich is probably right that we might want to think about how to make the config a little nicer

synapse/rest/client/v1/login.py

synapse/config/ratelimiting.py

synapse/rest/client/v1/login.py

tests/rest/client/v1/test_login.py

synapse/rest/client/v1/login.py

stale

synapse/config/ratelimiting.py

richvdh · 2019-03-15T11:16:47Z

synapse/handlers/auth.py

@@ -569,6 +574,12 @@ def check_user_exists(self, user_id):
            defer.Deferred: (unicode) canonical_user_id, or None if zero or
            multiple matches
        """
+        self._account_ratelimiter.ratelimit(
+            user_id, time_now_s=self._clock.time(),
+            rate_hz=self.hs.config.rc_login.account.per_second,


can you pull out these config settings in the constructor please?

Nope, because it makes the tests fail, since the test define special config parameters after initiating the handlers and servlets.
I had them in the constructor initially but couldn't find a sensible way to make the tests pass that way so I reverted that part.

synapse/handlers/auth.py

tests/rest/client/v1/test_login.py

synapse/config/ratelimiting.py

stale

richvdh

lgtm! Please squash and merge once the CI passes.

babolivier added 8 commits March 6, 2019 16:46

Add per-address ratelimiting for login requests

8100974

Add per-userID ratelimiting on login

3374137

Fix typo in config load

1a9c275

Fix variable declaration

70dac94

Fix function definition

a30069d

Add changelog

3b2dab0

Fix typo in variable name

1ac2744

Update sample config

6384697

babolivier mentioned this pull request Mar 7, 2019

Add support for ratelimiting on login matrix-org/sytest#569

Merged

Fix most unit tests

0fe04e0

Add unit tests

145b0de

babolivier marked this pull request as ready for review March 8, 2019 17:01

babolivier requested a review from a team March 8, 2019 17:01

babolivier added 2 commits March 8, 2019 17:02

Forgot to remove a comment

1d39f88

Make CI happy

064ff3f

erikjohnston previously requested changes Mar 11, 2019

View reviewed changes

synapse/rest/client/v1/login.py Outdated Show resolved Hide resolved

synapse/rest/client/v1/login.py Outdated Show resolved Hide resolved

richvdh previously requested changes Mar 11, 2019

View reviewed changes

babolivier added 11 commits March 12, 2019 16:03

Use helper to register user

9152220

Fix indent

ed040d0

Move login ratelimiters to login servlet and auth handler

c1ed7d0

Don't register the registration servlet

127c295

Lint

e97afec

Fix indent

9f3df2a

Use a nicer structure for ratelimiter settings

a0f44de

Update tests

4115a7b

Use a different structure for settings, letting messages out of it

7fd26d9

Fix typo

3e6a729

Fix typo

836ab80

babolivier added 2 commits March 14, 2019 20:29

Fix config processing

5437531

Lint

8b13756

babolivier requested a review from a team March 14, 2019 21:00

Fix config processing

b6ebef3

richvdh previously requested changes Mar 15, 2019

View reviewed changes

Incorporate review

8de2687

babolivier requested a review from a team March 15, 2019 14:47

babolivier added 5 commits March 15, 2019 14:50

Use global constant instead of self.url

761346c

Generate sample config

2ff8d11

Lint

c96c6b2

Improve doc

174e9f5

Regenerate config sample

f41a044

babolivier mentioned this pull request Mar 15, 2019

Add ratelimiting on failed login attempts #4865

Merged

richvdh and others added 3 commits March 15, 2019 16:24

fix default config formatting

148759b

Regenerate sample config

c015d95

Make wording more generic to avoid pain when iterating

8872ac1

richvdh approved these changes Mar 15, 2019

View reviewed changes

babolivier merged commit 899e523 into develop Mar 15, 2019

erikjohnston deleted the babolivier/ratelimit-login branch March 16, 2019 14:24

babolivier mentioned this pull request Mar 18, 2019

We should ratelimit Login (and register) requests more aggressively (SYN-559) #1452

Closed

babolivier restored the babolivier/ratelimit-login branch November 5, 2019 11:27

babolivier deleted the babolivier/ratelimit-login branch October 28, 2021 15:56

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add ratelimiting on login #4821

Add ratelimiting on login #4821

babolivier commented Mar 6, 2019 •

edited

Loading

codecov bot commented Mar 7, 2019 •

edited

Loading

erikjohnston left a comment

richvdh Mar 15, 2019

babolivier Mar 15, 2019 •

edited

Loading

richvdh left a comment

Add ratelimiting on login #4821

Add ratelimiting on login #4821

Conversation

babolivier commented Mar 6, 2019 • edited Loading

codecov bot commented Mar 7, 2019 • edited Loading

Codecov Report

erikjohnston left a comment

Choose a reason for hiding this comment

richvdh Mar 15, 2019

Choose a reason for hiding this comment

babolivier Mar 15, 2019 • edited Loading

Choose a reason for hiding this comment

richvdh left a comment

Choose a reason for hiding this comment

babolivier commented Mar 6, 2019 •

edited

Loading

codecov bot commented Mar 7, 2019 •

edited

Loading

babolivier Mar 15, 2019 •

edited

Loading