This (using the hooks in the Hobo User Controller) is in fact what I started doing after making my initial post. I have expanded my design to place login history and lockout history in separate models, and I have added a couple of lockout-related fields to the user model. If anyone wants to see what it looks like once I am done, I will be happy to share it.
I would like to make a couple of points: 1. While it can be argued that history and two-factor authentication are not core features, a configurable lockout feature should be a core piece of any authentication framework.The lockout feature make it tougher for an attacker to break in, and also reduces the strain on your web-site if someone launches a sustained attack. The logic used to determine that an account is locked out should use slightly less cycles than the logic required to verify the password. As a side note, some people may feel that their web-site doesn't contain critical information and therefore doesn't need a sophisticated security framework; however, we know that many people re-use the same password over and over again. The user password that a hacker is able to crack on your hamster fancier web-site may be the same password that the user has applied to their brokerage account. 2. The way that Hobo has set up the hooks and the authentication, login authentication and password authentication are packaged together. Lockout logic needs to authenticate the login and password separately. I am therefore authenticating the login myself before I have Hobo perform it's own login/password authentication. It would be helpful if Hobo had separate methods for login and password authentication. If I am missing something here with regard to the hooks, please let me know. On Friday, February 19, 2016 at 7:19:19 AM UTC-7, Henry Baragar wrote: > > Ed, > > Although valuable features, I am not sure that they belong in the Hobo > core. > > All of these features can be implemented using the hooks described in the > Hobo > User Controller > <http://cookbook.hobocentral.net/manual/users_and_authentication#hobo-user-controller> > > section of the manual. > > Henry > > On 18/02/16 10:15 PM, Ed Gomolka wrote: > > I would like to add some security features to my Hobo app. In descending > priority order, I would like to add the following: > > > 1. Account lockout feature to defend against brute force attacks. A > given number of consecutive failed login attempts over a given time period > would automatically lock the account for a few minutes (e.g.: 10 > consecutive failures within 5 minutes triggers a 15-minute lockout). > 2. Login history table, for both security and informational purposes. > The table would be de-normalized, as it would track both successfully > authenticated sessions and lockouts. There would be one row per login > attempt. Login attempts on locked out accounts would be ignored and would > not trigger the creation of new history rows. Possible columns for the > table would be: > 1. login success boolean > 2. the user's ip address > 3. session start timestamp > 4. session end timestamp > 5. lockout boolean > 6. lockout duration > 3. Optional two-factor authentication. > > > Has anyone done something like this? Are there plans to include any of > this in future Hobo releases? > > I have been looking at the base Hobo code. The sign_user_in method is > available for people who want to do their own authenticating. I am happy > with the Hobo authentication, but I would like to add additional logic > around it. I don't see an obvious way to add features as opposed to > replacing the whole thing. > -- > You received this message because you are subscribed to the Google Groups > "Hobo Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To post to this group, send email to [email protected] > <javascript:>. > Visit this group at https://groups.google.com/group/hobousers. > For more options, visit https://groups.google.com/d/optout. > > > -- > > > > *Henry Baragar* > > Director, Software Development > > *CSE* | *Canadian Securities Exchange* > > *D *(647) 729-8325 > > > > 220 Bay Street, 9th Floor | Toronto | ON | Canada | M5J 2W4 > > www.thecse.com | @CSE_News <https://twitter.com/CSE_News> > > > -- You received this message because you are subscribed to the Google Groups "Hobo Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/hobousers. For more options, visit https://groups.google.com/d/optout.
