I would like to add some security features to my Hobo app. In descending
priority order, I would like to add the following:
1. Account lockout feature to defend against brute force attacks. A
given number of consecutive failed login attempts over a given time period
would automatically lock the account for a few minutes (e.g.: 10
consecutive failures within 5 minutes triggers a 15-minute lockout).
2. Login history table, for both security and informational purposes.
The table would be de-normalized, as it would track both successfully
authenticated sessions and lockouts. There would be one row per login
attempt. Login attempts on locked out accounts would be ignored and would
not trigger the creation of new history rows. Possible columns for the
table would be:
1. login success boolean
2. the user's ip address
3. session start timestamp
4. session end timestamp
5. lockout boolean
6. lockout duration
3. Optional two-factor authentication.
Has anyone done something like this? Are there plans to include any of this
in future Hobo releases?
I have been looking at the base Hobo code. The sign_user_in method is
available for people who want to do their own authenticating. I am happy
with the Hobo authentication, but I would like to add additional logic
around it. I don't see an obvious way to add features as opposed to
replacing the whole thing.
--
You received this message because you are subscribed to the Google Groups "Hobo
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/hobousers.
For more options, visit https://groups.google.com/d/optout.
