massx1 opened a new pull request, #1419: URL: https://github.com/apache/syncope/pull/1419
This change adds configurable throttling for anonymous password reset requests. The throttling is applied before user lookup, so repeated requests for both existing and non-existing usernames are handled consistently. When the configured threshold is exceeded, Syncope returns HTTP 429 Too Many Requests with a Retry-After header. The feature is controlled by dedicated security properties. The client address is included in the throttling key to avoid allowing an attacker who knows a username or email address to globally block password reset requests for that account. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
