Page MenuHomePhabricator

Login API shouldn't lock you out in case you make too many correct logins
Closed, InvalidPublic

Description

Right now when you perform too many simultaneous login actions on different projects, even if you provide correct credentials you get locked for too many login attempts in short time. It should only lock you up if you provide WRONG login too many times in short time, not when you provide CORRECT login as well.

Use case: Huggle allows simultaneous sessions on multiple projects in same time, right now picking 5 or more projects, instantly lock you out, even if password is OK.

Event Timeline

Anomie added a subscriber: Anomie.

This seems unlikely to have anything to do with the API, as the API just calls AuthManager without doing any throttling of its own. You also neglected to indicate how these logins are being done (action=login with the main account? action=login with a bot password? action=clientlogin?).

Are you actually sending your multiple logins simultaneously, or are you doing them serially? If the former, it may be that the throttle increments at the start of the login attempts add up and block the logins before it completes any of them in order to reset the throttle.

It's happening in parallel, I can try doing it in serial though.

However, it seems that bot passwords do the job, I guess they bypass this check somehow. So for my use case this kind of solves it.