Skip to content

fix(login): rate limiter shouldn't count successful logins #3141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Apr 19, 2021
Merged

fix(login): rate limiter shouldn't count successful logins #3141

merged 14 commits into from
Apr 19, 2021

Conversation

jsjoeio
Copy link
Contributor

@jsjoeio jsjoeio commented Apr 15, 2021
edited
Loading

This PR fixes the login rate limiter to not count successful logins. This is important because it was causing issues with the e2e tests hitting the rate limit even though the logins were successful.

Changes

  • adds unit test for RateLimiter
  • moves loginPage.test.ts into login.test.ts
  • adds e2e tests for missing password, wrong password (and rate limiter)
  • adds new method to RateLimiter.canTry() to check remaining tokens

Fixes #2647

@jsjoeio jsjoeio self-assigned this Apr 15, 2021
@jsjoeio jsjoeio changed the title jsjoeio/fix-login-rate-limiter fix(login): rate limiter shouldn't count successful logins Apr 15, 2021
@jsjoeio jsjoeio added this to the v3.9.4 milestone Apr 15, 2021
jsjoeio
jsjoeio commented Apr 15, 2021
View reviewed changes
@jsjoeio jsjoeio marked this pull request as ready for review April 15, 2021 23:52
@jsjoeio jsjoeio requested a review from a team as a code owner April 15, 2021 23:52
oxy
oxy suggested changes Apr 16, 2021
View reviewed changes
Copy link

@oxy oxy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ratelimiter needs adjustment - see individual review comments.

@jsjoeio jsjoeio force-pushed the jsjoeio/fix-login-rate-limiter branch from 0d5f223 to fc85bf1 Compare April 16, 2021 21:25
@jsjoeio jsjoeio requested review from oxy and code-asher April 16, 2021 21:25
code-asher
code-asher reviewed Apr 19, 2021
View reviewed changes
oxy
oxy previously requested changes Apr 19, 2021
View reviewed changes
Copy link

@oxy oxy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few nits; looking in good shape otherwise!

jsjoeio added 10 commits April 19, 2021 10:40
@jsjoeio
fix: update comment and export rateLimiter
4683d8a
@jsjoeio
feat(testing): add tests for RateLimiter
58e17c5
@jsjoeio
refactor(testing): combine loginPage with login
ebbabc6
@jsjoeio
feat(testing): add e2e tests for password
faaa0a9
@jsjoeio
feat: increase timeout for playwright tests
83cfbf8
@jsjoeio
refactor(login): move rate limiter after successful login
0852107 
Before, we weren't checking if a login was successful before counting it
against the rate limiter.

With this change, we only count unsuccessful logins against the rate limiter.

We did this because this was a bug but also because it caused problems with our
e2e tests hitting the rate limit.
@jsjoeio
feat(testing): add test for rate limiter
1e6f4f2
@jsjoeio
refactor: change config to save all e2e videos
a8719e1
@jsjoeio
refactor: update rateLimiter to check try
d8e4505 
This changes adds a new method called `.canTry` to the rate limiter to check if
there are tokens remaining in the bucket.

It also adds suggestions from @oxy to make sure the user can brute force past
the rate limiter.
@jsjoeio
feat: add test for limiter.canTry()
7928dc2
@jsjoeio jsjoeio force-pushed the jsjoeio/fix-login-rate-limiter branch from fc85bf1 to 7928dc2 Compare April 19, 2021 17:41
@jsjoeio jsjoeio requested review from oxy and code-asher April 19, 2021 18:22
code-asher
code-asher approved these changes Apr 19, 2021
View reviewed changes
@jsjoeio jsjoeio force-pushed the jsjoeio/fix-login-rate-limiter branch from d23c37c to f80d5c3 Compare April 19, 2021 20:14
@jsjoeio jsjoeio dismissed oxy’s stale review April 19, 2021 20:14

I've made the requested changed and Asher has approved.

oxy
oxy approved these changes Apr 19, 2021
View reviewed changes
Copy link

@oxy oxy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All looks good!

@repo-ranger repo-ranger bot merged commit 6d65680 into main Apr 19, 2021
@repo-ranger repo-ranger bot deleted the jsjoeio/fix-login-rate-limiter branch April 19, 2021 20:29
@jsjoeio jsjoeio added the testing Anything related to testing label May 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jawnsy jawnsy jawnsy left review comments

@oxy oxy oxy approved these changes

@code-asher code-asher code-asher approved these changes

Assignees

@jsjoeio jsjoeio

Labels
testing Anything related to testing
Projects
None yet
Milestone
v3.10.0
Development

Successfully merging this pull request may close these issues.

Login rate limiter should not count against successful logins
4 participants
@jsjoeio @jawnsy @oxy @code-asher