identity: make otp rate limiting more strict
This commit is contained in:
@@ -91,7 +91,7 @@ namespace Streetwriters.Identity.Controllers
|
||||
[HttpPost("send")]
|
||||
[Authorize("mfa")]
|
||||
[Authorize(LocalApi.PolicyName)]
|
||||
[EnableRateLimiting("strict")]
|
||||
[EnableRateLimiting("super_strict")]
|
||||
public async Task<IActionResult> RequestCode([FromForm] string type)
|
||||
{
|
||||
var client = Clients.FindClientById(User.FindFirstValue("client_id"));
|
||||
|
||||
@@ -24,6 +24,7 @@ using System.Text;
|
||||
using System.Text.Encodings.Web;
|
||||
using System.Threading.Tasks;
|
||||
using Microsoft.AspNetCore.Identity;
|
||||
using Streetwriters.Common;
|
||||
using Streetwriters.Common.Enums;
|
||||
using Streetwriters.Common.Interfaces;
|
||||
using Streetwriters.Common.Models;
|
||||
@@ -185,6 +186,7 @@ namespace Streetwriters.Identity.Services
|
||||
case "sms":
|
||||
await UserManager.SetPhoneNumberAsync(user, form.PhoneNumber);
|
||||
var id = await SMSSender.SendOTPAsync(form.PhoneNumber, client);
|
||||
await Slogger<MFAService>.Info("SendOTPAsync", user.Id.ToString(), id);
|
||||
await this.ReplaceClaimAsync(user, MFAService.SMS_ID_CLAIM, id);
|
||||
break;
|
||||
|
||||
|
||||
@@ -145,6 +145,14 @@ namespace Streetwriters.Identity
|
||||
options.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
|
||||
options.QueueLimit = 0;
|
||||
});
|
||||
options.AddSlidingWindowLimiter("super_strict", options =>
|
||||
{
|
||||
options.PermitLimit = 1;
|
||||
options.Window = TimeSpan.FromMinutes(1);
|
||||
options.SegmentsPerWindow = 1;
|
||||
options.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
|
||||
options.QueueLimit = 2;
|
||||
});
|
||||
});
|
||||
|
||||
services.AddAuthorization(options =>
|
||||
|
||||
Reference in New Issue
Block a user