Implements rate limiting for various resources.

After activation rate limiting will be added to the login and password reset flow.

The rate limiting is done on username or e-mail address. After five attempts the username (or e-mail address) will be blocked for an hour.

If a username is used for a successful login, then a special device-id cookie is placed on the user-agent. This device-id ensures that that particular user-agent is allowed its own five tries. This prevents a username to be blocked on known devices by tries on other devices. The device-id cookie is only valid for a single username.

Edit on GitHub



Not yet documented.