Skip to content

feat: add brute force protection for SMS verification codes #119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
CuriousLearner merged 1 commit into from
Oct 19, 2025
Merged

feat: add brute force protection for SMS verification codes #119

CuriousLearner merged 1 commit into from
Oct 19, 2025

Conversation

@CuriousLearner
Copy link
Owner

@CuriousLearner CuriousLearner commented Oct 17, 2025

Implement comprehensive brute force protection with the following changes:

  • Add failed_attempts field to SMSVerification model to track verification attempts
  • Implement MAX_FAILED_ATTEMPTS setting (default: 5) to lock sessions after threshold
  • Add MIN_TOKEN_LENGTH setting (default: 6) to enforce minimum security code length
  • Add SECURITY_CODE_TOO_MANY_ATTEMPTS status code for locked sessions
  • Include database migration for backward compatibility
  • Update admin interface to display failed_attempts field
  • Add comprehensive comments explaining attempt tracking logic

Closes #100 Superseeds #117

@CuriousLearner CuriousLearner force-pushed the pr-117 branch 5 times, most recently from 6e3e7b0 to 9efb7fd Compare October 19, 2025 00:41
@CuriousLearner @Kaos599
feat: add brute force protection for SMS verification codes
afc0315 
Add comprehensive brute force protection to prevent automated attacks on SMS verification codes:

- Add failed_attempts field to SMSVerification model with database migration
- Implement MAX_FAILED_ATTEMPTS setting (default: 5) for session lockout
- Implement MIN_TOKEN_LENGTH setting (default: 6) to enforce minimum security code length
- Track failed attempts for invalid, expired, and already-verified codes
- Reset failed_attempts to 0 on successful verification
- Update validation logic to check brute force limit before other validations
- Add SECURITY_CODE_TOO_MANY_ATTEMPTS status code and error handling
- Update sandbox backends to support brute force protection while maintaining test-friendly behavior
- Add comprehensive test coverage for brute force protection scenarios
- Update documentation with new security settings

Closes #100

Co-authored-by: Harsh <[email protected]>
@CuriousLearner CuriousLearner merged commit 5c9a2fa into master Oct 19, 2025
15 checks passed
@CuriousLearner CuriousLearner deleted the pr-117 branch October 19, 2025 01:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Discard session token after n failed attempts

2 participants

@CuriousLearner