I’m experiencing some weird login request. Do you know any existing package or feature in this case?
I’m not sure what you mean by “throttle” but if you have problems with login you can debug server side step by step and check what’s wrong.
The DDP rate limiter by default should already throttle login attempts:
2 Likes
Thanks, DDPRateLimiter could be helpful.
I have a question: In the example:
// Define a rule that matches login attempts by non-admin users.
const loginRule = {
userId(userId) {
const user = Meteor.users.findOne(userId);
return user && user.type !== 'admin';
},
type: 'method',
name: 'login'
};
// Add the rule, allowing up to 5 messages every 1000 milliseconds.
DDPRateLimiter.addRule(loginRule, 5, 1000);
The userId() function, how do we have userId here if the user hasn’t logged in yet?
Have not looked into this package for a long time, but I would assume it works similar to Meteor methods. Methods can be called by both users who are logged in and also users who are not logged in. In the first case the userId is received from the DDP protocol inside the method. And in the latter it is just empty. Probably it works the same way here. But take my description with a grain of salt, have not touched these topics for a while now.
If you mean Brute Force Login protection, current Meteor 3 WeKan has it, with settings at Admin Panel and environment variables, and unlock at Admin Panel / People / People. Please let me know if it does not work.
1 Like
Related is when at my fork I removed all dependencies of lockout package, and left only 10 required files:
1 Like
Thank you. lucasantoniassi:accounts-lockout is what I’m looking for.
Why not go passwordless? That’s the current standard.