feat(auth): add per-account auth rate limits#544
Open
slint wants to merge 1 commit intoinveniosoftware:masterfrom
Open
feat(auth): add per-account auth rate limits#544slint wants to merge 1 commit intoinveniosoftware:masterfrom
slint wants to merge 1 commit intoinveniosoftware:masterfrom
Conversation
slint
force-pushed
the
limit-frogot-password
branch
from
948b91a to
0a5e077
Compare
slint
changed the title
slint
force-pushed
the
limit-frogot-password
branch
3 times, most recently
from
568ee4c to
8ed0a3a
Compare
ntarocco
approved these changes
Feb 18, 2026
| ) | ||
| """Message shown when forgot-password per-account rate limit is exceeded.""" | ||
|
|
||
| ACCOUNTS_LOGIN_RATELIMIT = None |
Contributor
There was a problem hiding this comment.
Do we want to have None as default? Or maybe a good value instead as a default?
Same for all the other endpoints.
Member
Author
There was a problem hiding this comment.
I'm not sure if Flask-Limiter is enabled by default in all instances... In invenio-app we always initialize the extension, but I'm not sure if there's another config flag that actually "enables" it.
I wanted to go around this assumption by not configuring any of the limits here. This is something we could do in invenio-app-rdm though where we have already configured e.g. Redis for the rate-limiting storage.
- Enforce per-account limits on forgot-password, login, and send-confirmation flows using user-id limiter keys. - Add configurable rate-limit and key-prefix settings for each protected flow.
slint
force-pushed
the
limit-frogot-password
branch
from
8ed0a3a to
22ea60f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Screenshots