https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30962 --- Comment #16 from Tomás Cohen Arazi <tomascohen@gmail.com> --- (In reply to David Cook from comment #12)
(In reply to Jonathan Druart from comment #11)
1. Missing tests (you must provide tons of tests to cover the different situations)
Are all the existing API tests in "t/db_dependent/api/v1/"?
Not sure what you mean here, but we try to enforce 100% code coverage on the tests.
2. Route's name should not be a verb (/password/validation maybe?)
I did struggle to come up with a noun for this one so I take the point.
I'd go with 'validation'.
4. It's always returning "Invalid password" even for other failures (like too many attempts)
I suppose a generic error like "Authentication failed" or "Validation failed" would be better.
If you think generic is fine, go for it. If you think there are use cases in which the caller could take advantage on the information, please catch those exceptions and return something meaningful.
5. It allows you to check for pwd validation for a user you don't know their userid (you can force brute only by knowing the patron's id). I don't think it's a security concern as userid could be guessed anyway (?) 6. following 5, you can lock any accounts if FailedLoginAttempts is set, no need to know the userid list. How bad is that?
Maybe not the right bug to talk about how to prevent brute force attacks, as you said: this is not a public route. -- You are receiving this mail because: You are watching all bug changes.