authnzerver.ratelimit module

This module contains RequestHandler mixins that do rate-limiting for the authnzerver’s own API, handle throttling of incorrect password attempts, and do user locking/unlocking for repeated password check failures.

None of these will work without bits already defined in handlers.AuthHandler or close derivatives.

class authnzerver.ratelimit.RateLimitMixin

Bases: object

This class contains a method that rate-limits the authnzerver’s own API.

Requires:

• self.cacheobj (from AuthHandler)
• self.ratelimits (from AuthHandler)
• self.pii_salt (from AuthHandler)
• self.request.remote_ip (from tornado.web.RequestHandler)

ratelimit_request(reqid: Union[int, str], request_type: str, frontend_client_ipaddr: str, request_body: dict = None) → None

This rate-limits the request based on the request type and the set ratelimits passed in the config object.

class authnzerver.ratelimit.UserLockMixin

Bases: object

This class handles user locking/unlocking and slowing down repeated password failures.

handle_failed_logins(payload: dict) → tuple

This handles failed logins.

• Adds increasing wait times to successive logins if they keep failing.
• If the number of failed logins exceeds 10, the account is locked for one hour, and an unlock action is scheduled on the ioloop.

Requires:

• self.failed_passchecks (from AuthHandler)
• self.config (from AuthHandler)

lockuser_repeated_login_failures(payload: dict, unlock_after_seconds: int = 3600) → dict

This locks the user account. Also schedules an unlock action for later.

Requires:

• self.config (from AuthHandler)
• self.executor (from AuthHandler)
• self.scheduled_user_unlock() (from UserLockMixin)

scheduled_user_unlock(user_id: int, reqid: Union[int, str], pii_salt: str)

This function is scheduled on the ioloop to unlock the specified user.