From eb4419c90c48428e6a00a3191eeb47452846e950 Mon Sep 17 00:00:00 2001
From: zedzior <piotr.zabieglik@gmail.com>
Date: Thu, 4 Jul 2024 12:45:36 +0200
Subject: [PATCH] Add login throttling mechanism description

---
 docs/api-usage/authentication.mdx | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/api-usage/authentication.mdx b/docs/api-usage/authentication.mdx
index 6cd68570c..f3fcc8c51 100644
--- a/docs/api-usage/authentication.mdx
+++ b/docs/api-usage/authentication.mdx
@@ -423,6 +423,12 @@ sequenceDiagram
 You can find an example implementation of the authentication flow here: [saleor-next-starter](https://github.com/saleor/saleor-next-starter/tree/main/src/auth).
 :::
 
+### Login throttling
+
+To prevent accounts from credential-guessing attacks, Saleor uses login throttling. First, it blocks concurrent login requests originating from the same IP address for the duration of the authentication process.
+Next, if the user fails to log in due to an invalid password, the block time will be extended by a power of 2 seconds. In case of an unknown email address, the policy is loosened and the delay of the next login attempt
+will be extended after every 10 attempts. The maximum time for a user's IP can be blocked is set to 60 minutes. The throttling mechanism will be reset after a successful login attempt.
+
 ## User authentication using OpenID Connect
 
 OpenID Connect (OIDC) is an [OAuth 2.0](https://oauth.net/2/) extension allowing the transfer of identity information between the client and the authorization server.