Hi,
Is there any rate limiting restriction for access token request.
Jmix 1.5
An Account Takeover (ATO) attack application lacks proper rate limiting on authentication endpoints. In this scenario, an attacker
can systematically brute-force a username and password combination without being hindered
by limits on the number of attempts.
Without rate limiting, there is no mechanism to restrict the number of login attempts from a
single IP address or session within a certain period, allowing attackers to use automation tools
to try a large number of password combinations. This can lead to a successful account
compromise, giving attackers unauthorised access to user accounts.
Recommendation: It is recommended to implement rate limiting on authentication endpoints to
limit the number of login attempts.