To prevent a site from being used in an amplification attack or part of an email bomb or whatever, the login endpoint should throttle requests made based on both the me parameter and on the originating IP address (as determined by eg flask.request.headers.get(“x-forwarded-for”,flask.request.remote_addr) or whatever the correct invocation is). The timeout should probably be stored in an expiringdict with the next timeout computed by adding the delta between the current timeout and the current time multiplied by some constant, with the initial timeout and constant being configurable.
Care should be taken to not accidentally make this a vector for maliciously locking people out, though.
To prevent a site from being used in an amplification attack or part of an email bomb or whatever, the login endpoint should throttle requests made based on both the
meparameter and on the originating IP address (as determined by egflask.request.headers.get(“x-forwarded-for”,flask.request.remote_addr)or whatever the correct invocation is). The timeout should probably be stored in an expiringdict with the next timeout computed by adding the delta between the current timeout and the current time multiplied by some constant, with the initial timeout and constant being configurable.Care should be taken to not accidentally make this a vector for maliciously locking people out, though.