Possible to detect a bruce force attack on user credentials?

As of now a server will allow unlimited attempts to log in with a given username. Does anyone know a way to detect such activity?

I was thinking it would be possible to intercept at the express level before forwarding on the request to the Parse layer, but I’m not familiar enough with how parse server works.

If I know correctly, There is an accountLockout or similar option. You specify a number. İf failed login pass this number, account will be locked out for x time(you set that). And logins are rejected for this user

2 Likes

Thank you, it was not documented super well so this pointer helped a lot. The PR with the change enabling this behavior is here: https://github.com/parse-community/parse-server/pull/2601

1 Like

@acgourley Thanks for your feedback on the docs. If you think the documentation can be improved, please let us know where you would expect to see which information by opening an issue in the docs repo. If you want to go even further, we would gladly review your PR for the docs change.