ryanwinchester

ryanwinchester

Throttling login attempts

Is there a best practice for throttling login attempts in Phoenix?

What is everybody else doing right now?

Marked As Solved

dbaer

dbaer

I recommend this approach as well, then you also have an audit trail as a side effect

def check_rate(ip, email) do
    expiry = Timex.shift(Timex.now(), minutes: -15)
    {:ok, ip} = EctoNetwork.INET.cast(ip)

    query =
      from a in Attempt,
        where:
          a.ip == ^ip and a.inserted_at >= ^expiry and
            a.success == false and a.email == ^email

    {:rate, Repo.aggregate(query, :count, :ip) < 5}
  end

or similar depending on the requirements.

Also Liked

josevalim

josevalim

Creator of Elixir

One possible approach, assuming the login is database backed, is to also store it in the database. You need a column with the attempts and the time of the first attempt. Once login succeeds, you clear those. If login fails and it is within the initial timestamp, you bump the counter. The goal is to not allow more than 5 attempts in X minutes.

ryanwinchester

ryanwinchester

Yeah, in the long run, an ETS (or mnesia?) based approach that doesn’t query the database with every attempt would probably be better.

Here’s what I’ve got for now. (don’t ask me why I made options even though I’ll probably never not use the defaults, I don’t know, it’s a sickness :sweat_smile:)

  def check_login_attempts(ip_address, email, opts \\ []) do
    {limit, opts} = Keyword.pop(opts, :limit, 5)

    if get_login_attempt_rate(ip_address, email, opts) < limit do
      :ok
    else
      {:error, :too_many_requests}
    end
  end

  def get_login_attempt_rate(ip_address, email, opts \\ []) do
    time_ago_opts = Keyword.get(opts, :time_ago, [minutes: -1])
    time_ago = Timex.shift(Timex.now(), time_ago_opts)

    query =
      from a in LoginAttempt,
        where: a.ip_address == ^ip_address or a.email == ^email,
        where: a.attempted_at >= ^time_ago,
        where: not a.success

    Repo.aggregate(query, :count)
  end

I didn’t limit it to just ip_address but also email address (which is a login credential). In case, for example and for whatever reason, someone is using a botnet or something to attempt to login to a single account, not only will the IPs get throttled, the account itself will be as well.

gregvaughn

gregvaughn

I’m late to the party, but we’ve been very pleased with this erlang library we’ve had in production for a few years now. We use it primarily for rate limiting our outgoing calls, but it works just as good for incoming calls. The mnesia backend it offers was our main reason to choose it for our 2 node cluster.

https://github.com/lambdaclass/throttle

Where Next?

Popular in Questions Top

jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
stefanluptak
Hello everybody, usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
vrod
I am using the Starship cross-shell prompt – it seems pretty nice, but I get some errors: [WARN] - (starship::utils): Executing command ...
New
belgoros
I’m not a pro in using Regex and can’t figure out why the following behaviour happens, especially if we take into account the difference ...
New
JDanielMartinez
Hi! May someone helps me, please! I have two apps into an umbrella project: the first one is Database, which manages queries, and the se...
New
script
If I have a string “1000 cfu/ml” . I want to remove the characters and / and space . So the string is like this "1000" What is the ...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New
openscript
Hello! Sorry for this astonishing simple question, but I’m really stuck. I try to set up the intellij-elixir plugin, but I don’t know ho...
New
PeterCarter
There are pre-rolled solutions for other frameworks that do work. However, Phoenix does not seem to have these. Have people had good expe...
New
jononomo
For some reason my phoenix channels are working for me in my local dev environment, but as soon as I deploy via Docker, I get a 403 error...
New

Other popular topics Top

Fl4m3Ph03n1x
About me? ( if you have nothing better to do than reading about some random guy in the internet :stuck_out_tongue: ) Hello all, this is ...
New
jerry
Good day to you all. I have been struggling to get a query involving like and ilike to work. Can anyone assist me on this, please? pro...
New
chrismccord
This release brings a number of exciting features, including integration with the new Phoenix LiveDashboard and Phoenix LiveView. There h...
New
hariharasudhan94
lets say i have a sample like a = 20; b = 10; if (a &gt; b) do {:ok, "a"} end if (a &lt; b) do {:ok, b} end if (a == b) do {:ok, "equa...
New
vonH
When I run the Plug and I recompile I wind up having to use Ctrl C to quit iex and start again. Witht the help of rlwrap I can use the cu...
New
gausby
I asked this very same question on twitter and got some interesting feedback, but I thought it would be a good question to ask here as we...
1207 39297 209
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
marick
I had some trouble figuring out how to make many-to-many associations work. Once I got it working, I wrote a blog post. Because I’m a nov...
New
dogweather
I wrote this comment on r/haskell, and it’s not popular there. :wink: But I think I’m on to something… Haskell reminds me of Java, and e...
New

We're in Beta

About us Mission Statement