Comments (3)
This sounds like a good idea, but I think if we do it we should use DRF's throttle policy somehow instead of building our own rate limiting mechanism.
from django-rest-framework-passwordless.
given that throttling for non-trival cases generally require some sort of shared backend (i.e. redis), you should rely on (and really, need) the underlying framework's throttling capabilities to be configured and enabled. there might be some setting at drfpasswordless level for ease of customization - but you can't just have that.
to limit retries - you may be able to get by with enabling rest_framework.throttling.AnonRateThrottle
as one of the DRF DEFAULT_THROTTLE_CLASSES
and setting the rate to something like 'anon' : '10/minute'
. that will apply rate limiting over drfpasswordless APIs.
from django-rest-framework-passwordless.
I did some testing and yes it is possible to brute-force the 6-digit code. This should be mentioned in the README, as the configuration described there is insecure.
Using AnonRateThrottle won't work, as it looks at the X-Forwarded-For header which an attacker can spoof. A better solution is to rate-limit /auth/token based on the email address or mobile number in the request, rather than the source IP address. This can be done with django-ratelimit. This solution does create a denial-of-service vulnerability, where an attacker could lock out a valid user.
This library is also vulnerable to account enumeration. The responses from /auth/email and /auth/mobile specify whether an account exists or not which is a concern in many applications. I modified the code so that the same response was sent regardless however I found that it was still possible to enumerate accounts based on response time. Rate-limiting /auth/email and /auth/mobile helps but does not eliminate this vulnerability.
from django-rest-framework-passwordless.
Related Issues (20)
- PSA: Using the demo token
- Incompatible with Django 4.0+ HOT 2
- Timing attacks for email enumeration
- Custom user-mobile field HOT 2
- PASSWORDLESS_AUTH_TOKEN_CREATOR is not working! HOT 4
- UNIQUE constraint failed: auth_user.username
- How can I invalidate the current token immediately after use? HOT 1
- 'PASSWORDLESS_TOKEN_GENERATION_ATTEMPT' is not working.
- AttributeError at /auth/token HOT 1
- provide demo user format with example keys and values HOT 1
- Is this maintained / being used in production? HOT 1
- Demo user token freezed
- Add support for using token in email subject line HOT 2
- Mobile auth not working? HOT 4
- Bad request 400: Unable to send you a login code. Try again later. HOT 2
- REST_FRAMEWORK authtoken cannot be changed from default setting
- Integration with AWS SNS
- Update TokenValidationSerializer Readme HOT 1
- Is this project still being maintained? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-rest-framework-passwordless.