Auth grant password spam
Hi I keep getting millions of 400 post request for grant password, any clue how to limit that that?
7 Replies
What exact endpoint? Not sure what grant password is.
There are not IP blocks.
There are rate limits for some auth endpoints in the Authenticate tab under rate limits.
How many users do you have?
What is your JWT refresh time set to?
If you check the IP on some of these requests in the API Gateway or Auth logs are they the same IP? Is the IP related to your app/server?
auth/v1/token?grant_type=password | null"
it's random ips, looks like this is ddos attack
Yeah, I was more thinking token refresh which is same URL which is easy to get out of control.
But support is probably best contact point.
Not sure if rate limiting signup/ins would help or not if from lots of IP's...
https://supabase.com/dashboard/project/_/auth/rate-limits
There is also captcha controls potentially, but not something I know much about.
Ya support was useless :/
Gary is right about using captchas to add some protection against this. Don't know about hcaptcha but turnstile is easy to setup
@inder this will work even on react native app?
I dont use react native but i found this article https://developers.cloudflare.com/turnstile/get-started/mobile-implementation/
hcaptcha has an official sdk for react native https://docs.hcaptcha.com/mobile_app_sdks/#react-native
This article might be helpful for setting up turnstile with react native https://medium.com/@shanavascruise/how-we-integrated-cloudflare-turnstile-captcha-in-a-react-native-app-with-webview-4197f6e867fc
Do note that requests still go to your supabase instance
If you want to rate-limit then add a reverse proxy in between your instance and client