Conversation
|
Do we have rate limiting for brute force login attacks somewhere in the application code? That looks to me like on of the more important features that was disabled. |
|
@jmhooper my understanding was we moved the rate limiting upstream to AWS |
jmhooper
left a comment
jmhooper
left a comment
There was a problem hiding this comment.
If this is rate limiting has been moved to AWS, and Rack Attack is currently disabled, then yeah this is dead code and we should remove it.
|
One nice thing Rack Attack provided was the ability to log each time a throttle was triggered. Does AWS provide that as well? How is rate limiting currently configured in AWS? |
zachmargolis
force-pushed
the
margolis-remove-rack-attack
branch
2 times, most recently
from
addf8b1 to
d427f66
Compare
**Why**: It has been disabled for a while now, we moved critical parts like SMS rate limiting to app code.
|
Did we ever get answers to my questions? Are we able to log and monitor when a limit is being exceeded, such as when someone is trying to guess a password? |
|
@monfresh no, right now we don't. But my feelings were that since it's currently disabled, it's just cruft. We can always |
|
It was only disabled temporarily to help us troubleshoot the issue we had in prod a while back. We resolved that by removing the OTP sending from Rack Attack. My opinion is that we should turn it back on until we find a replacement that also includes logging. I think it's valuable to be able to see how often rate limits get triggered. |
|
It was "temporarily" disabled back in May -- I'm going to leave this as-is but 100% supportive of other PRs to fix/revert/etc |
3 participants
Why:
It has been disabled for a while now, we moved critical parts
like SMS rate limiting to app code.