mirror of
https://github.com/reddit-archive/reddit.git
synced 2026-01-24 14:27:58 -05:00
f95cb2b143
The goal of a login ratelimit system is to prevent brute force attacks on passwords. The current login ratelimit system is based on VDelay which uses exponential backoff based on IP address after failed login attempts. This is not ideal because of corporate proxies and LSN causing the number of false positives to be very high resulting in users getting the dreaded "you've been doing that too much". This new system uses a factored out version of the core ratelimiting system which uses fixed ratelimits per period (allowing some burstiness) and is per-account. To help mitigate the effects of a denial of service attack on a specific user, different ratelimit buckets are used depending on whether or not the user has used the IP the login request is coming from before. As an escape hatch, successfully resetting an account's password adds the current IP to that account's recent IPs allowing it into the safer ratelimit bucket. The ratelimit never applies if you are currently logged in as the user, allowing account deletion to happen regardless of ongoing brute force / denial of service attacks.