Getting and Updating the Brute Force Configuration
Learn how to retrieve and update brute force configuration by using Auth0 API.
In this lesson, we'll see how we can update the brute force configuration or get the brute force configuration using an API call. To achieve these tasks, we'll use the https://{{DOMAIN}}/api/v2/attack-protection/brute-force-protection endpoint. Getting the brute force configuration is a GET request, while updating the brute force configuration is a PATCH request.
Getting the brute force configuration
In Auth0, brute force protection is a feature that helps to protect our authentication system against brute force attacks. It works by limiting the number of failed login attempts that can be made within a specified time frame. In Auth0, we can also retrieve the brute force configuration details by sending a GET HTTPS request to the brute-force-protection endpoint.
Request parameters
There are no request parameters required for this particular endpoint.
Click the “Run” button to retrieve the brute force configurations.
// Importing libraries hereconst fetch = require('node-fetch');const endpointUrl = new URL('https://{{DOMAIN}}/api/v2/attack-protection/brute-force-protection');const headerParameters = {'Content-Type': 'application/json','Authorization': 'Bearer {{ACCESS_TOKEN}}',}const options = {method: 'GET',headers: headerParameters,};async function getBruteForceConfigurations() {try {const response = await fetch(endpointUrl, options);printResponse(response);} catch (error) {printError(error);}}getBruteForceConfigurations();
Let's look at the highlighted lines from the code shown above:
Line 4: We define the endpoint URL to retrieve the brute force configuration.
Line 18: We make a
GETrequest using thefetchfunction.Line 25: We invoke the
getBruteForceConfigurationsfunction.
Response fields
The successful execution of the above code will retrieve the brute force configurations and return details, whose response fields are as follows:
Name | Description |
| Contains the details of whether the brute force protection is enabled or not. |
| Contains details about the customization of protection against brute force attacks. The values that can be used for the |
| Determines the IP address used when counting the failed attempts. |
| Defines the list of allowed IP addresses. |
| Defines the maximum number of attempts allowed. |
Updating the brute force configuration
After getting the current brute force configuration, it's time for us to update it. The Auth0 update brute force configuration method allows us to customize brute force configuration, including defining the maximum number of unsuccessful attempts a user can make and the action to take if a brute force attack is found. In this section of the lesson, we’ll configure some settings against brute-force attacks by using the brute-force-protection endpoint of Auth0.
Request parameters
To invoke this endpoint, we will use a PATCH request. We have a list of parameters that can be passed as body parameters. Let's look at some important ones in the table below:
Parameter Name | Type | Category | Description |
| Boolean | Optional | Defines whether brute force protection should be enabled or not. |
| Array | Optional | Defines the customization of protection against brute-force attacks. |
| Array | Optional | Exempts IP addresses that will not be subjected to attack defense. |
| String | Optional | Determines the IP address used when counting failed attempts. The values that can be used are |
| Integer | Optional | Defines the maximum number of unsuccessful attempts a user can make. |
Next, let's update the brute force configuration. Click the “Run” button to update the configuration.
// Importing libraries hereconst fetch = require('node-fetch');const endpointUrl = new URL('https://{{DOMAIN}}/api/v2/attack-protection/brute-force-protection');const headerParameters = {'Content-Type': 'application/json','Authorization': 'Bearer {{ACCESS_TOKEN}}',}const bodyParameters = JSON.stringify({"enabled": true,"shields": ["block",],"mode": "count_per_identifier_and_ip","max_attempts": 5});const options = {method: 'PATCH',headers: headerParameters,body: bodyParameters,};async function updateBruteForceConfigurations() {try {const response = await fetch(endpointUrl, options);printResponse(response);} catch (error) {printError(error);}}updateBruteForceConfigurations();
Let's look at the highlighted lines from the code shown above:
Line 4: We define the endpoint URL for the API call.
Lines 11–19: We define the
bodyParametersobject.Line 12: We define the
enabledparameter and set its value totrue,which will enable the brute force configurations.Lines 13–15: We define the
shieldsparameter and set its value toblock.Lines 16: We define the
modeparameter and set its value tocount_per_identifier_and_ip.Line 17: We define the
max_attemptsparameter and set its value to5.
Line 28: We make a
PATCHrequest using thefetchfunction.Line 35: We invoke the
updateBruteForceConfigurationsfunction.
Response fields
The successful execution of the above code enables the brute force configuration and return its details. Some important response fields are as follows:
Name | Description |
| Ccontains the details of whether brute force protection is enabled or not. |
| Contains details about the customization of protection against brute-force attacks. |
| Determines the IP address used when counting failed attempts. |
| Defines the list of allowed IPs. |