I know we can use lockable for limiting login attempts for a user. But I would like to implement IP limit. If an attacker knows one valid password, but doesn't know which user it belongs to, he can try different user names with that password. He will not be locked because he will not reach max number of tries for each user.
Is there some official devise module or gem for this? Or what would be the best way of implementing this myself? I can just save IP for each login attempt to separate table and check if number of failed tries reaches some threshold.
CodePudding user response:
I think the simplest approach would be to have a classic rate limiting for some endpoints, without adding unnecessary complexity like counting failed attempts, etc.
There are several options in ruby: