I was testing pass wrong password and emails through my login form and looks like the Brute-Force protections blocked my IP, which is cool, but now when I try to login using my credentials I receive this error which as far I understand reading the docs it means that my IP is blocked:
Hey @marcuscaum, there are multiple types of attack protection that come into action during logins.
Brute-force Protection - When a single user attempts login with incorrect credentials (10 wrong attempts, unless this value is overridden in dashboard). The IP is blocked for that user only. These blocks can be retrieved from GET /api/v2/user=blocks?identifier={id} or GET /api/v2/user-blocks/{user_id}
Suspicious IP Throttling - When multiple users try 100+ failed login attempts or 50+ signups. That IP is blocked for everyone. These blocks can be found using the endpoint you used: GET /api/v2/anomaly/blocks/ips/{ip}.
Bot detection - This is a bit more complicated to explain, but you can read about it here. You can’t search for IPs blocked by this.
The error you received seems to be from bot detection, so those endpoints will not show up that it was blocked. You can verify this by turning off bot detection temporarily. It’s not possible to unblock those IPs manually, but usually Auth0 login pages will display a captcha when this error is received so the user can solve that to complete the login.
But in my case we are doing the login manually using the endpoints, passing email and password with the http://auth0.com/oauth/grant-type/password-realm grant_type, mostly because our application is a React Native application and since we are using Expo we can’t use the auth0 sdk directly, so how should I handle the captcha in this case?
Yeah, it worked, so if it’s not supported why I got blocked by it? Is there any way to just disable the bot detection for my auth0 application related to React Native? Both of our applications right now shares the same tenant (web and mobile)
This is a limitation of the feature at the moment - with ROPG it is triggered but you can’t go around it by proving you’re human. It’d be helpful if you can add some feedback with the use case so this can be improved.
I’m afraid you might have to turn off bot detection until the flow is fully supported. It’s an all-or-nothing for now.