Expand description
Per-account login lockout — defends against credential stuffing.
Cache-backed counter + lock flag. See account_lockout::Lockout.
Per-account login lockout — defends against credential stuffing /
brute-force attacks that bypass per-IP rate limits.
Backed by the cache layer (in-memory or Redis). Each failed login increments a counter; once it crosses the threshold, the account is locked for a configurable duration. Successful logins clear the counter.
§Quick start
ⓘ
use rustango::account_lockout::Lockout;
use rustango::cache::InMemoryCache;
use std::sync::Arc;
use std::time::Duration;
let cache: Arc<dyn rustango::cache::Cache> = Arc::new(InMemoryCache::new());
let lockout = Lockout::new(cache)
.max_attempts(5)
.lockout_duration(Duration::from_secs(900)); // 15 min
// Login handler:
let username = "alice";
if lockout.is_locked(username).await {
return Err("account temporarily locked — try again later");
}
if !verify_credentials(username, password).await? {
lockout.record_failure(username).await;
return Err("bad credentials");
}
lockout.clear(username).await; // success → reset counter
issue_session(username).await§Why per-account, not per-IP?
Per-IP rate limiting (RateLimitLayer::per_ip) catches one attacker
pounding one endpoint. Per-account lockout catches a botnet trying
the same username from thousands of IPs — the account is the rate
axis. Both belong in your stack.
Structs§
- Lockout
- Per-account lockout tracker.
Constants§
- DEFAULT_
LOCKOUT_ DURATION_ SECS - Default lockout duration (15 minutes).
- DEFAULT_
MAX_ ATTEMPTS - Default attempts before lockout.