Skip to content

GitLab should have an option to prevent users from signing in from multiple IPs

What does this MR do?

Adds option to limit logging from from too many IPs in configured time frame.

It uses Redis SortedSets to implement this:

r.zadd(key, time, ip)
r.zremrangebyscore(key, 0, time - time_window)
unique_ips_count = r.zcard(key)

Are there points in the code the reviewer needs to double check?

This MR is sort of request for comments as I have mixed feeling myself about e.g. using Thread.current local storage to make request IP accessible from different parts of code without much modification.

Why was this MR needed?

Spam attacks can require significant amount of work to mitigate it. This MR gives yet another tool to help fighting spam.

Screenshots (if relevant)

Does this MR meet the acceptance criteria?

What are the relevant issue numbers?

Closes #27520 (closed)

Merge request reports