We should add the bruteforce protection also the two factor challenge endpoint, there are some challenges with that mainly the fact that we can't just throttle the controller because then a valid token may be expired again.
My proposal would be to basically logout users after 3 invalid Two Factor challenges and increase the bruteforce counter in that case. The user has then to reenter their password and this case will be slowed down.
cc @ChristophWurst @nextcloud/security Thoughts?
We should add the bruteforce protection also the two factor challenge endpoint, there are some challenges with that mainly the fact that we can't just throttle the controller because then a valid token may be expired again.
My proposal would be to basically logout users after 3 invalid Two Factor challenges and increase the bruteforce counter in that case. The user has then to reenter their password and this case will be slowed down.
cc @ChristophWurst @nextcloud/security Thoughts?