Brute force password attack protection: blocking user after N unsuccessful login attempts

[Kh-Oleg]

Hi,
What do you think about adding a feature, when a user would become inactive (blocked), when a certain amount of unsuccessful login attempts were done in a row? This would protect Fief from brute force password attacks.

I see that the under the hood used fastapi_users.models.UserProtocol entity has the is_active flag which seems to be properly handled, when it's set to False; but I don't see Fief using this flag.

[frankie567]

Yes, I was thinking for some time about a protection against brute-force. Another solution I thought about was to implement some rate-limiting mechanism so an attacker couldn't enumerate accounts through login, registration and so on.

Regarding fastapi_users, I'm actually working on removing the dependency and reimplement the basic parts directly in Fief. It will help us implement more advanced features, like 2FA or Passwordless. In the process, I'll remove the is_active flag for now, but it could be re-added if needed.

[Kh-Oleg]

I'd like to have not only automated protection against brute-force, but also a notification to admin about suspicious activity. Blocking account could be one of possible reactions to such activity, when unblocking would require an admin intervention.

Or more generic proposal: what if to implement a web hook on_unsuccessful_login(user_id)?
Supporting user states {Active, Disabled} in Fief is anyway required.