What you would like to accomplish: To be able to block a user IP after a determined number of fail attempts to signInWithEmailAndPassword or other login related endpoints.
How this might work: If same IP make many fail attempts to login endpoints, the IP should be blocked for increasing times as fail attempts continues to happen.
If applicable, reasons why alternative solutions are not sufficient: I've tried achieving this security measure by setting quota to Identity Platform Queries per user, but our service accounts which checks auth tokens was affected by the quota, since requests to our back-end validate if token provided by client is valid.
It would be great to be able to set this "quota" only to login attempts and also to block the user IP for a time, instead of only limiting requests until a minute runs up before the attacker can keep trying to password spray.
Description
How this might work: If same IP make many fail attempts to login endpoints, the IP should be blocked for increasing times as fail attempts continues to happen.
If applicable, reasons why alternative solutions are not sufficient:
I've tried achieving this security measure by setting quota to Identity Platform Queries per user, but our service accounts which checks auth tokens was affected by the quota, since requests to our back-end validate if token provided by client is valid.
It would be great to be able to set this "quota" only to login attempts and also to block the user IP for a time, instead of only limiting requests until a minute runs up before the attacker can keep trying to password spray.
Other information (workarounds you have tried, documentation consulted, etc):
This article on medium by EurekaSurveys details the issue, and suggests 2 workarounds, but they are not very reliable.