mirror of
https://github.com/gophish/gophish
synced 2024-11-15 00:37:14 +00:00
bb7de8df3e
This PR adds the initial work to implement a password policy as defined in #1538. Specifically, this implements the following * Rate limiting for the login handler * Implementing the ability for system admins to require a user to reset their password * Implementing a password policy that requires passwords to be a minimum of 8 characters * Removes the default password (gophish) for admin users to instead have the password randomly generated when Gophish first starts up * Adds a password strength meter when choosing a new password Fixes #1538
15 lines
768 B
Go
15 lines
768 B
Go
// Package ratelimit provides a simple token-bucket rate limiting middleware
|
|
// which only allows n POST requests every minute. This is meant to be used on
|
|
// login handlers or other sensitive transactions which should be throttled to
|
|
// prevent abuse.
|
|
//
|
|
// Tracked clients are stored in a locked map, with a goroutine that runs at a
|
|
// configurable interval to clean up stale entries.
|
|
//
|
|
// Note that there is no enforcement for GET requests. This is an effort to be
|
|
// opinionated in order to hit the most common use-cases. For more advanced
|
|
// use-cases, you may consider the `github.com/didip/tollbooth` package.
|
|
//
|
|
// The enforcement mechanism is based on the blog post here:
|
|
// https://www.alexedwards.net/blog/how-to-rate-limit-http-requests
|
|
package ratelimit
|