feat: add login throttling to prevent brute force attacks

Implements in-memory login attempt throttling that tracks failed attempts
per identity and temporarily locks accounts after exceeding configurable
thresholds.

New config options under selfservice.flows.login.throttle:
- max_attempts: max failures before lockout (default: 0 = disabled)
- window: time window for counting failures (default: 5m)
- lockout_duration: how long account stays locked (default: 15m)

When throttling is enabled and an identity exceeds max_attempts within
the window, subsequent login attempts return HTTP 429 until the lockout
expires. Successful logins reset the counter.

Relates to #3037

Author: veeceey

driver/config/config.go

@@ -127,6 +127,9 @@ const (
 	ViperKeySelfServiceLoginRequestLifespan                  = "selfservice.flows.login.lifespan"
 	ViperKeySelfServiceLoginAfter                            = "selfservice.flows.login.after"
 	ViperKeySelfServiceLoginBeforeHooks                      = "selfservice.flows.login.before.hooks"
+	ViperKeySelfServiceLoginThrottleMaxAttempts               = "selfservice.flows.login.throttle.max_attempts"
+	ViperKeySelfServiceLoginThrottleWindow                    = "selfservice.flows.login.throttle.window"
+	ViperKeySelfServiceLoginThrottleLockoutDuration           = "selfservice.flows.login.throttle.lockout_duration"
 	ViperKeySelfServiceErrorUI                               = "selfservice.flows.error.ui_url"
 	ViperKeySelfServiceLogoutBrowserDefaultReturnTo          = "selfservice.flows.logout.after." + DefaultBrowserReturnURL
 	ViperKeySelfServiceSettingsURL                           = "selfservice.flows.settings.ui_url"
@@ -1039,6 +1042,24 @@ func (p *Config) SelfServiceFlowLoginRequestLifespan(ctx context.Context) time.D
 	return p.GetProvider(ctx).DurationF(ViperKeySelfServiceLoginRequestLifespan, time.Hour)
 }
 
+// SelfServiceFlowLoginThrottleMaxAttempts returns the maximum number of
+// failed login attempts before temporary lockout.
+func (p *Config) SelfServiceFlowLoginThrottleMaxAttempts(ctx context.Context) int {
+	return p.GetProvider(ctx).IntF(ViperKeySelfServiceLoginThrottleMaxAttempts, 0)
+}
+
+// SelfServiceFlowLoginThrottleWindow returns the window in which
+// failed login attempts are counted.
+func (p *Config) SelfServiceFlowLoginThrottleWindow(ctx context.Context) time.Duration {
+	return p.GetProvider(ctx).DurationF(ViperKeySelfServiceLoginThrottleWindow, 5*time.Minute)
+}
+
+// SelfServiceFlowLoginThrottleLockoutDuration returns how long an identity
+// is locked out after exceeding the max attempts.
+func (p *Config) SelfServiceFlowLoginThrottleLockoutDuration(ctx context.Context) time.Duration {
+	return p.GetProvider(ctx).DurationF(ViperKeySelfServiceLoginThrottleLockoutDuration, 15*time.Minute)
+}
+
 func (p *Config) SelfServiceFlowSettingsFlowLifespan(ctx context.Context) time.Duration {
 	return p.GetProvider(ctx).DurationF(ViperKeySelfServiceSettingsRequestLifespan, time.Hour)
 }

selfservice/flow/login/error.go

@@ -43,6 +43,15 @@ var (
 
 	// ErrSessionRequiredForHigherAAL is returned when someone requests AAL2 or AAL3 even though no active session exists yet.
 	ErrSessionRequiredForHigherAAL = herodot.ErrUnauthorized.WithID(text.ErrIDSessionRequiredForHigherAAL).WithError("aal2 and aal3 can only be requested if a session exists already").WithReason("You can not requested a higher AAL (AAL2/AAL3) without an active session.")
+
+	// ErrAccountLockedOut is returned when an identity has been temporarily
+	// locked due to too many failed login attempts.
+	ErrAccountLockedOut = herodot.DefaultError{
+		StatusField: "Too Many Requests",
+		ErrorField:  "account temporarily locked",
+		ReasonField: "Too many failed login attempts. Please try again later.",
+		CodeField:   http.StatusTooManyRequests,
+	}
 )
 
 type (

selfservice/flow/login/handler.go

@@ -4,6 +4,7 @@
 package login
 
 import (
+	"context"
 	"net/http"
 	"strconv"
 	"time"
@@ -20,6 +21,7 @@ import (
 	"github.com/ory/kratos/identity"
 	"github.com/ory/kratos/schema"
 	"github.com/ory/kratos/selfservice/errorx"
+	"github.com/ory/kratos/selfservice/flow/login/throttle"
 	"github.com/ory/kratos/selfservice/flow"
 	"github.com/ory/kratos/selfservice/sessiontokenexchange"
 	"github.com/ory/kratos/session"
@@ -70,12 +72,32 @@ type (
 	HandlerProvider interface {
 		LoginHandler() *Handler
 	}
-	Handler struct{ d dependencies }
+	Handler struct {
+		d         dependencies
+		throttler *throttle.Limiter
+	}
 )
 
-func NewHandler(d dependencies) *Handler { return &Handler{d: d} }
+func NewHandler(d dependencies) *Handler {
+	return &Handler{d: d}
+}
+
+func (h *Handler) initThrottler(ctx context.Context) {
+	maxAttempts := h.d.Config().SelfServiceFlowLoginThrottleMaxAttempts(ctx)
+	if maxAttempts <= 0 {
+		return
+	}
+	h.throttler = throttle.NewLimiter(throttle.Config{
+		MaxAttempts:     maxAttempts,
+		ThrottleWindow:  h.d.Config().SelfServiceFlowLoginThrottleWindow(ctx),
+		LockoutDuration: h.d.Config().SelfServiceFlowLoginThrottleLockoutDuration(ctx),
+	})
+}
 
 func (h *Handler) RegisterPublicRoutes(public *httprouterx.RouterPublic) {
+	// Initialize login throttler if configured.
+	h.initThrottler(context.Background())
+
 	h.d.CSRFHandler().IgnorePath(RouteInitAPIFlow)
 	h.d.CSRFHandler().IgnorePath(RouteSubmitFlow)
 
@@ -932,10 +954,27 @@ continueLogin:
 		} else if errors.Is(err, flow.ErrCompletedByStrategy) {
 			return
 		} else if err != nil {
+			// Record failed login attempt for throttling.
+			if h.throttler != nil {
+				if identityID := x.ExtractIdentityID(err); identityID != uuid.Nil {
+					if locked := h.throttler.RecordFailure(identityID); locked {
+						h.d.LoginFlowErrorHandler().WriteFlowError(w, r, f, ss.ID(), group, errors.WithStack(ErrAccountLockedOut))
+						return
+					}
+				}
+			}
 			h.d.LoginFlowErrorHandler().WriteFlowError(w, r, f, ss.ID(), group, err)
 			return
 		}
 
+		// Check if identity is locked out before allowing login.
+		if h.throttler != nil {
+			if locked, _ := h.throttler.IsLockedOut(interim.ID); locked {
+				h.d.LoginFlowErrorHandler().WriteFlowError(w, r, f, ss.ID(), group, errors.WithStack(ErrAccountLockedOut))
+				return
+			}
+		}
+
 		// What can happen is that we re-authenticate as another user. In this case, we need to use a completely fresh
 		// session!
 		if sess.IdentityID != uuid.Nil && sess.IdentityID != interim.ID {
@@ -954,6 +993,11 @@ continueLogin:
 		return
 	}
 
+	// Clear throttle state on successful login.
+	if h.throttler != nil {
+		h.throttler.RecordSuccess(i.ID)
+	}
+
 	if err := h.d.LoginHookExecutor().PostLoginHook(w, r, group, f, i, sess, ""); err != nil {
 		if errors.Is(err, ErrAddressNotVerified) {
 			h.d.LoginFlowErrorHandler().WriteFlowError(w, r, f, ct, node.DefaultGroup, errors.WithStack(schema.NewAddressNotVerifiedError()))

selfservice/flow/login/throttle/throttle.go

@@ -0,0 +1,177 @@
+// Copyright © 2023 Ory Corp
+// SPDX-License-Identifier: Apache-2.0
+
+package throttle
+
+import (
+	"sync"
+	"time"
+
+	"github.com/gofrs/uuid"
+)
+
+// Config holds the configuration for login throttling.
+type Config struct {
+	// MaxAttempts is the maximum number of failed login attempts
+	// before the identity gets locked out temporarily.
+	MaxAttempts int
+
+	// ThrottleWindow is the time window within which failed attempts are counted.
+	ThrottleWindow time.Duration
+
+	// LockoutDuration is how long an identity is locked out after
+	// exceeding MaxAttempts within the ThrottleWindow.
+	LockoutDuration time.Duration
+}
+
+// DefaultConfig returns the default throttle configuration.
+func DefaultConfig() Config {
+	return Config{
+		MaxAttempts:     5,
+		ThrottleWindow:  5 * time.Minute,
+		LockoutDuration: 15 * time.Minute,
+	}
+}
+
+type attempt struct {
+	timestamp time.Time
+}
+
+type identityState struct {
+	attempts  []attempt
+	lockedAt  time.Time
+	lockUntil time.Time
+}
+
+// Limiter tracks failed login attempts per identity and enforces throttling.
+type Limiter struct {
+	mu     sync.RWMutex
+	states map[uuid.UUID]*identityState
+	config Config
+}
+
+// NewLimiter creates a new login throttle limiter.
+func NewLimiter(cfg Config) *Limiter {
+	l := &Limiter{
+		states: make(map[uuid.UUID]*identityState),
+		config: cfg,
+	}
+	return l
+}
+
+// IsLockedOut checks whether the given identity is currently locked out.
+// Returns true and the remaining lockout duration if locked out.
+func (l *Limiter) IsLockedOut(identityID uuid.UUID) (bool, time.Duration) {
+	l.mu.RLock()
+	defer l.mu.RUnlock()
+
+	state, ok := l.states[identityID]
+	if !ok {
+		return false, 0
+	}
+
+	if !state.lockUntil.IsZero() && time.Now().Before(state.lockUntil) {
+		return true, time.Until(state.lockUntil)
+	}
+
+	return false, 0
+}
+
+// RecordFailure records a failed login attempt for the given identity.
+// Returns true if the identity is now locked out as a result.
+func (l *Limiter) RecordFailure(identityID uuid.UUID) bool {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+
+	state, ok := l.states[identityID]
+	if !ok {
+		state = &identityState{}
+		l.states[identityID] = state
+	}
+
+	// If currently locked, don't reset anything
+	if !state.lockUntil.IsZero() && time.Now().Before(state.lockUntil) {
+		return true
+	}
+
+	// Prune old attempts outside the throttle window
+	now := time.Now()
+	cutoff := now.Add(-l.config.ThrottleWindow)
+	pruned := make([]attempt, 0, len(state.attempts))
+	for _, a := range state.attempts {
+		if a.timestamp.After(cutoff) {
+			pruned = append(pruned, a)
+		}
+	}
+
+	// Add the new failure
+	pruned = append(pruned, attempt{timestamp: now})
+	state.attempts = pruned
+
+	// Check if we should lock out
+	if len(state.attempts) >= l.config.MaxAttempts {
+		state.lockedAt = now
+		state.lockUntil = now.Add(l.config.LockoutDuration)
+		return true
+	}
+
+	return false
+}
+
+// RecordSuccess clears the failed attempt history for the given identity.
+func (l *Limiter) RecordSuccess(identityID uuid.UUID) {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+
+	delete(l.states, identityID)
+}
+
+// RecentFailures returns the number of recent failed attempts for the identity
+// within the throttle window.
+func (l *Limiter) RecentFailures(identityID uuid.UUID) int {
+	l.mu.RLock()
+	defer l.mu.RUnlock()
+
+	state, ok := l.states[identityID]
+	if !ok {
+		return 0
+	}
+
+	cutoff := time.Now().Add(-l.config.ThrottleWindow)
+	count := 0
+	for _, a := range state.attempts {
+		if a.timestamp.After(cutoff) {
+			count++
+		}
+	}
+	return count
+}
+
+// Cleanup removes expired entries. Should be called periodically
+// to prevent unbounded memory growth.
+func (l *Limiter) Cleanup() {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+
+	now := time.Now()
+	for id, state := range l.states {
+		// Remove entries where lockout has expired and no recent attempts
+		if !state.lockUntil.IsZero() && now.After(state.lockUntil) {
+			delete(l.states, id)
+			continue
+		}
+
+		// Remove entries with no recent attempts in the window
+		cutoff := now.Add(-l.config.ThrottleWindow)
+		hasRecent := false
+		for _, a := range state.attempts {
+			if a.timestamp.After(cutoff) {
+				hasRecent = true
+				break
+			}
+		}
+		if !hasRecent && state.lockUntil.IsZero() {
+			delete(l.states, id)
+		}
+	}
+}