Brute force attack prevention #3479
-
|
First off thanks for making this great project! I was curious whether there is any brute force attack prevention code when using the credentials provider, or any standard practice to implement it? As of right now it appears that a user can try their credentials with no rate-limiting or password timeout which seems like a fairly significant vulnerability against dictionary attacks and the like. Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 3 replies
-
|
The credentials provider is meant to be used with existing systems which we don't control. Those systems must take necessary measures themselves.
|
Beta Was this translation helpful? Give feedback.
-
|
As a warning note, security concerns are best addressed discreetly in the future. https://next-auth.js.org/security I'll let this one be, since we already documented the limitations of that provider. |
Beta Was this translation helpful? Give feedback.
-
|
Oh okay that makes more sense. Thx for quick response |
Beta Was this translation helpful? Give feedback.
-
|
Gotcha thx |
Beta Was this translation helpful? Give feedback.
-
|
@balazsorban44 Is there any rate limit system for email auth? Or how can I access the request object inside EmailProvider so that I can use my own logic? |
Beta Was this translation helpful? Give feedback.
-
|
Any update please? I don't understand the "credentials based authentication is intentionally limited to discourage use of passwords due to the inherent security risks", we are developers, if our client is asking that he want email based authentication, we can not say this is intentionally limited and force him to use other solution... Ok we can implement our custom solution but in this case, next-auth will be useless.. |
Beta Was this translation helpful? Give feedback.
The credentials provider is meant to be used with existing systems which we don't control. Those systems must take necessary measures themselves.
https://next-auth.js.org/providers/credentials