[RateLimiter][Security] Add a login_throttling.interval (in security.firewalls) option to change the default throttling interval.
#40339
Conversation
There was a problem hiding this comment.
Sorry, I was too quick. The Travis build failures are related to the changes in this PR if I'm correct:
There were 2 failures:
1) Symfony\Bundle\SecurityBundle\Tests\Functional\FormLoginTest::testLoginThrottling with data set "invalid_password_again" ('johannes', 'also_wrong', 2)
Failed asserting that string matches format description.
--- Expected
+++ Actual
@@ @@
-%sToo many failed login attempts, please try again in 8 minutes%s
+Welcome! Too many failed login attempts, please try again in %minutes% minute. Too many failed login attempts, please try again in 1 minute. Username: Password:
/home/travis/build/symfony/symfony/src/Symfony/Bundle/SecurityBundle/Tests/Functional/FormLoginTest.php:134
2) Symfony\Bundle\SecurityBundle\Tests\Functional\FormLoginTest::testLoginThrottling with data set "invalid_password_again_bis" ('johannes', 'wrong_again', 4)
Failed asserting that string matches format description.
--- Expected
+++ Actual
@@ @@
-%sToo many failed login attempts, please try again in 8 minutes%s
+Welcome! Too many failed login attempts, please try again in %minutes% minute. Too many failed login attempts, please try again in 1 minute. Username: Password:
/home/travis/build/symfony/symfony/src/Symfony/Bundle/SecurityBundle/Tests/Functional/FormLoginTest.php:140
Are you sure the session is kept between multiple test...() calls? (I would expect the testcase to clear up everything after each test, to avoid side-effects)
|
@wouterj You're right, the tests failed for this reason. 🤔 But I have launched the tests with phpunit before pushing the PR and everything has run fine.
May one of you have a clue as to what's wrong? Or at least, to reproduce the test failure ? |
|
I'll have look :) |
|
@damienfa I've been able to reproduce it locally and fix the tests (see the commit I pushed to this PR). You somehow lost the change in the security test config while creating this PR. I think I also discovered why you didn't see this error locally. Instead of using a globally installed |
|
@wouterj Yes ! I have just come to the same conclusion 🤦🏻♂️ I'm now able to reproduce it locally. |
|
Thank you @damienfa. |
The only way to customize the default rate-limiter's options of the login_throttling (means fixed_window / 1 minute / 5 tokens) are through a custom limiter, which implies to declare a rate-limiter factory in the "framework.rate_limiter", a service which use this factory etc. It's really heavy just for changing an interval (moreover, 1 minute can be discutable).
In this PullRequest, I just propose to allow an
intervaloption.Example :
See functional tests.
🤷🏻♂️ This pull-request is a copy of this pull-request that I've created some weeks ago. On the original PR, I just needed to rebase on 5.x to pass the tests (fabbot etc.) but the rebase I've tried runs in a loop of conflicts and I'm stuck. I've never experienced this before... SORRY.