The Problem
As described in Increase Password Strength (deprecated as of 12/04/2018), we added throttling on logging in (PLFM-3818) to protect our user accounts from being hacked. With this in place, after 10 failed attempts, a user will be locked out for 5 minutes. Now when a hacker attempts to login 10 times on all Synapse accounts every five minutes, all Synapse accounts will be locked.
...
This approach requires all clients to implement the new APIs, cache and provide the cached authenticationReceipt on behalf of the user.
Models
APIs
Action | Require Authentication | URI | Method | Request Param | Request Body | Response Body |
---|---|---|---|---|---|---|
Login | False | /session2login | POST | V2LoginCredentialsLoginRequest | V2SessionLoginResponse |
See:
Jira Legacy | ||||||||
---|---|---|---|---|---|---|---|---|
|
...