feat(security): add Memcached-based rate limiting for remember-token auto-login

Prevents brute-force attacks against remember-me cookies. Uses Memcached
(Cache::add + increment) to track failures per IP: 5 attempts in 15 min
window, auto-expiring via TTL. Counter resets on successful auto-login.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-14 15:57:29 +01:00
parent a3a403c2ec
commit c45c636614
3 changed files with 65 additions and 2 deletions

View File

@@ -80,7 +80,8 @@ class AuthServicesFactory
$this->sessionStore,
$this->cookieStore,
$this->requestRuntime,
$this->authGatewayFactory->createAuthSettingsGateway()
$this->authGatewayFactory->createAuthSettingsGateway(),
new RememberMeRateLimiter()
);
}