Brute force attacks protection

[gimenete]

There should be protection agains brute force attacks by slowing down the server:

• Many failed logins from same IP
• Many failed logins to the same email (even if they are from different IPs).
• Many failed logins using the same password (even if they are from different IPs or to different accounts).

We need to store some counters either in memory (default) or redis (opt-in feature that would allow multiple server instances having the same counters).

[gimenete]

reCAPTCHA was added, but we might want to implement other mechanisms.

[callaars]

You might want to increase the response time slightly with every incorrect attempt as well.

[gimenete]

Yeah, agreed.

I've looked to this module for in-memory rate limiting: https://github.com/jhurliman/node-rate-limiter for rate-limiting.

And these docs for using redis for rate limiting: https://redis.io/commands/incr#pattern-rate-limiter-1

[callaars]

The first step would be to just add rate limiting in nginx through: limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s; for example.

We could advice on that.

[callaars]

We might not need to hit the actual app for this.

[chadfurman]

It would also make sense to cache the JWTs in redis, and then a quick check can filter out most unauthorized requests without having to decode or verify any session IDs