Description
Symfony version(s) affected
6.1.3
Description
I have this in my security.php:
$security->provider('foo_provider')->entity()->class(Foo::class)->property('token');
$mainFirewall->loginThrottling()->maxAttempts(1)->interval('1 hour');Foo::$token is a self-created random string for magic link login.
This happens when requesting the same inexistent token URL (after cache:clear):
- attempt => "Invalid link"
- attempt => "You're blocked" // As expected with
->maxAttempts(1) - attempt => "You're blocked"
- attempt => "You're blocked"
- attempt => "Invalid link" // Why??
- through 20. attempt => "You're blocked"
So to me this looks like either a bug, or the documentation at https://symfony.com/doc/5.4/security.html#limiting-login-attempts is missing something:
Login attempts are limited on
max_attempts(default: 5) failed requests for IP address + username and 5 * max_attempts failed requests for IP address.
When changing max_attempts to 2, the unexptected "Invalid link" happens at the 10th attempt, so it's probably related to the "5 * max_attempts" rule.
How to reproduce
If you're telling me that this is the expected behavior, then let's try to improve the docs. If you say that this is unexpected, I can try to investigate it further or create a reproducer.
Possible Solution
No response
Additional Context
No response