Merged
Conversation
Trigger an AttemptEvent when a user is locked out for too many login attempts that fail. changelog: Internal, Attempts API, Login rate limit event
Contributor
Author
|
Note: There was some ambiguity in the story about what we were seeking to capture. I went with the simplest thing to start, which is the place in At standup, I referenced this starting to turn into a slippery slope / rabbit hole. (Slippery rabbit hole?) Strictly speaking, this event fires every time the user tries to log in after hitting the rate limit. In practice, a human user with a real web browser would get redirected away from the login page and probably try something different, so they might only hit this once. However, it's also worth noting that (a) a bot trying this may generate this event repeatedly, indicating ongoing attempts, and (b) this particular rate limit stores the count in the user session, which could easily be cleared out. Users exceeding or circumventing that will eventually run into Rack::Attack. This PR currently doesn't log those instances. I am not sure we should, because it opens us up to generating an unlimited flood of events from users who are, by definition, doing something abusive. |
Merged
aduth
added a commit
that referenced
this pull request
Sep 12, 2022
* Refactor step indicator as ViewComponent component (#6910) **Why**: - All the standard benefits of ViewComponent (better separation of view and logic, testability, performance, etc) - Toward a consistent reusable UI component library - Remove more unused "pending" status logic [skip changelog] * LG-7305 Make sure ThreatMetrix failure disables profile Part 2 (#6925) * LG-6497: Create and use new Memorable Date component in State ID step of IPP flow (#6713) * date strings in en * add uswds memorable date component to ruby components * wip on wrapper * LG-6497: Allow DateTime input to accept labels for each part of the date * error highlight showing for component * get inputs from memorable date fields * change input padding so numbers show * memorable date component spec * check date input by user is in the past * update textContent of err class with err message * display error message and state when date is in future or today * remove unused strings * move error msg to strings * refactor js file to ts * LG-6497: Update memorable date component to include validation * LG-6497: Improve validation and cover additional scenarios for memorable date component * LG-6497: Allow memorable date validation with multiple ranges * LG-6497: Add missing error messages; change error message without changing selected field * LG-6497: Integrate memorable date component into IPP state ID form * LG-6497: Correct lint errors * changelog: Upcoming Features, In-person proofing, Replace State ID date input with Memorable Date component * LG-6497: Work on internationalization and test fixes * LG-6497: Fix i18n errors and add component documentation * LG-6497: Write tests covering memorable date component rendering * LG-6497: Update InPersonHelper so tests use memorable date DOB component correctly * LG-6497: Remove extra line in memorable-date package.json Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov> * LG-6497: More semantically represent error message lookup filtering Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov> * LG-6497: Use more common idiom for filtering out null/empty values for memorable date inputs Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov> * Lg-6497: Remove unnecessary array type check Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov> * LG-6497: Simplify JS logic, ERB formatting, and CSS class for memorable date component * LG-6497: Get min/max attributes for memorable date using new Date() instead of Date.parse() * LG-6497: Prevent built-in errors from overriding custom errors * LG-6497: Follow JS lower camel case standard for naming error message fields * LG-6497: Allow conversion of additional types to ISO formats for min/max dates Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> * LG-6497: Update min/max docs to show additional types can be used Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> * LG-6497: Support date-like values for i18n conversion; update comments and docblock * LG-6497: Update comments * LG-6497: CSS code style fixes * LG-6497: Write tests for MemorableDateElement; refine regex for day to ensure valid day range is enforced * LG-6497: Rename parameter in forEach for clarity * LG-6497: Rename additional arrow function params for clarity * LG-6497: Prevent ValidatedFieldElement from changing focus away from inputs with errors * LG-6497: Ensure lg-validated-field selects correct error element * LG-6497: Add listeners to memorable date instead of child inputs * LG-6497: Update test to cover error message element selection via aria-describedby in lg-validated-field * LG-6497: Fix test lint issues * LG-6497: Start with error message element hidden to avoid inconsistent field spacing * LG-6497: Use tag_options; correct created error element ID; fix Safari issue; code cleanup * LG-6497: Update pattern in memorable date JS test * LG-6497: Update phone test to correctly use aria-describedby for find_by_id * LG-6497: Update send link test to correctly use aria-describedby for find_by_id Co-authored-by: Shannon Alexander <shannonalexander@Shannons-MBP.fios-router.home> Co-authored-by: Tim Bradley <timothy.bradley@gsa.gov> Co-authored-by: Shannon Alexander <shannonalexander@Shannons-MacBook-Pro.local> Co-authored-by: Tim Bradley <90272033+NavaTim@users.noreply.github.com> Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov> Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> * LG-6497: Minor style/doc fixes related to memorable date change (#6929) * LG-6497: Minor style/doc fixes * [skip changelog] * LG-7109 Add Event: IDV verification rate limited (#6928) * LG-7109 Add Event: IDV verification rate limited changelog: Internal, Attempts API, Track additional events * alphabetic order change * Enable Rubocop Style/MethodDefParentheses (#6930) **Why**: For consistency, and to reduce toil in code review. changelog: Internal, Linting, Enable new rules for Rubocop static analysis * LG-7429 | Login rate limit event (#6926) Trigger an AttemptEvent when a user is locked out for too many login attempts that fail. changelog: Internal, Attempts API, Login rate limit event * LG-7205: Add logging for initial in-person step visits, submissions (#6918) * Add missing flow_path parameter for API::DocumentCaptureController So that it's logged correctly in analytics * LG-7205: Add logging for initial step visits, submissions **Why**: So that we have better insight into the user's journey through the in-person proofing flow. changelog: Upcoming Features, In-person proofing, Improve analytics for in-person proofing actions * Remove parameters Appease linter * Manage step visit, submit events as part of AnalyticsContext To centralize storage of step metadata Reverts to string step names (for now) to avoid dependency cycle between analytics context and steps * Fix children type for AnalyticsProvider props * Add specs for InPersonLocationStep * Add specs for AnalyticsContextProvider * Resolve TypeScript errors for context value shape Use provider wrapper to handle creation of full context value * Absorb thrown network error in trackEvent * Add reference to spec * Use SpinnerButton for prepare step submission **Why**: - Prevent multiple event logging if user were to click multiple times in quick succession - Present feedback to user for pending network request before navigation * Avoid unnecessary variable assignment * LG-7396 Confirm connection to Lexis Nexis (#6931) * Add scripts to test call to lexis nexis Refactor scripts that call VA to get user's PII, so that it can also be used in the script to test Lexis Nexis Phone Finder call. changelog: Internal, Upcoming Features, Confirm Connection to Lexis Nexis (LG-7396) Add force failure switches Fix rubocop violations * Fix rubocop violations * LG-7194 Add Event: Account purged (#6934) changelog: Internal, Attempts API, Track additional events * LG-6497: Revert Memorable Date Changes (#6940) * Revert "LG-6497: Minor style/doc fixes related to memorable date change (#6929)" This reverts commit e0e8ad4. * Revert "LG-6497: Create and use new Memorable Date component in State ID step of IPP flow (#6713)" This reverts commit cead2c1. * [skip changelog] Co-authored-by: Steve Urciuoli <steve.urciuoli@gsa.gov> Co-authored-by: Shannon A <20867088+svalexander@users.noreply.github.com> Co-authored-by: Shannon Alexander <shannonalexander@Shannons-MBP.fios-router.home> Co-authored-by: Tim Bradley <timothy.bradley@gsa.gov> Co-authored-by: Shannon Alexander <shannonalexander@Shannons-MacBook-Pro.local> Co-authored-by: Tim Bradley <90272033+NavaTim@users.noreply.github.com> Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> Co-authored-by: olatifflexion <109746710+olatifflexion@users.noreply.github.com> Co-authored-by: Matt Wagner <mattwagner@navapbc.com> Co-authored-by: Gene M. Angelo, Jr <web.gma@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why: This was a gap in events we send!