limit login rate #1564
Description
Is your feature request related to a problem? Please describe.
A malicious person could try to get into an account with lots of tries. OED tries to mitigate that by not telling which of the username and password are wrong. OED also has a rate limiter on all routes in app.js that should significantly slow down such an attack and probably make it unlikely to succeed.
Describe the solution you'd like
While the current situation is very good, it is proposed to have an explicit, lower limit on login attempts. This will make attacks harder, esp. if specific values are being probed. Specifically, the route in src/server/routes/login.js will be limited. If the rate limit is hit in normal usage then valid logins will fail. OED does not require login for most actions; only for admin, export, csv and some systems sending OED data. Thus, there is unlikely to be a lot of login at any time. It is unclear how many should be allowed to be safe but I'll throw out 900 requests per hour (3600 seconds) or an average of 1 every 4 seconds. By making it per hour it seems less likely to hit the limit during normal usage in which there are a larger number of people wanting to login in a short amount of time but still allow lots of logins. Note the general limit is (3600 sec/hour) / (5 sec/rate interval) * (200 requests/rate interval) = 144,000 requests/hour. Thus, the new limit is 144,000 / 900 = 160 times lower. It limits tries to a little over 20k/day which should give a site time to stop such attacks if they monitor the logs. I'm very open to other ideas.
Describe alternatives you've considered
OED could allow the site to set the limit on the admin site page. I propose we not do this unless issues are encountered. The reason is that one needs to know what are better values and it isn't clear it is needed. If OED ever does this it could check the value proposed to warn/exclude the value trying to be set.
Additional context
None.