Too many attempts! You must wait xxx seconds before trying again

After I input the wrong password many times, ‘too many attempts! You must wait xxx seconds before trying again’. I tried to wait xxx seconds, but I still couldn’t log in. It will continue to prompt ‘too many attempts! You must wait xxx seconds before trying again’.The waiting time is getting longer.
How long should I wait? It indicates that the waiting time is obviously not accurate

Hi @rayn
Which version of Metabase? Please post “Diagnostic Info” from Admin > Troubleshooting.
Are you using a reverse-proxy in front of Metabase?

I’m sorry to have taken so long to reply

Version 0.32.9,I can’t find diagnostic info.

Im using a reverse-proxy.During this period, users often say that their password is wrong and they can’t log in after changing the password.
I’m sure it didn’t happen before, but it has happened frequently in the last two months.

@rayn This was fixed in 0.33.2 - latest release is 0.34.3
https://github.com/metabase/metabase/pull/10593

tanks!

I now upgrade metabase to v0.33.7.3

Encountered a problem, I changed the password and the password in the metabase db has also changed, but I can’t use the modified password when I log in

But I can log in with the password when I first enter metabase, that is to say, no matter how I change the password, it will not take effect. Instead of verifying with the ‘core_user’ table, it always uses the old password

Diagnostic Info

{
“browser-info”: {
“language”: “zh-CN”,
“platform”: “Win32”,
“userAgent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36”,
“vendor”: “Google Inc.”
},
“system-info”: {
“java.runtime.name”: “Java™ SE Runtime Environment”,
“java.runtime.version”: “1.8.0_45-b14”,
“java.vendor”: “Oracle Corporation”,
“java.vendor.url”: “http://java.oracle.com/”,
“java.version”: “1.8.0_45”,
“java.vm.name”: “Java HotSpot™ 64-Bit Server VM”,
“java.vm.version”: “25.45-b02”,
“os.name”: “Linux”,
“os.version”: “3.10.0-957.el7.x86_64”,
“user.language”: “en”,
“user.timezone”: “Asia/Shanghai”
},
“metabase-info”: {
“databases”: [
“h2”,
“mysql”,
“sparksql”,
“presto”
],
“hosting-env”: “unknown”,
“application-database”: “mysql”,
“run-mode”: “prod”,
“version”: {
“tag”: “v0.33.7.3”,
“date”: “2019-12-16”,
“branch”: “release-0.33.x”,
“hash”: “7ee7193”
},
“settings”: {
“report-timezone”: “Asia/Hong_Kong”
}
}
}Preformatted texth

@rayn Try the latest release 0.34.3 - many of the forms were updated, so it should notify more clearly if anything goes wrong.
Check the log (Admin > Troubleshooting > Logs) and browser developer console for any errors, while saving the password.
And upgrade your Java, that’s really old - or use the Docker version instead.

I’ll try your advice

I want to know if metabase has cached the user and password in one place. I did a test. When I changed the password, I couldn’t log in with the new password, but the old password was OK. I modified the email in the user management, and then I could log in with the new email and the previously modified password

I think there is a place to cache the old password. I don’t know if there is such a mechanism. If so, how can I clear it? I restarted metabase, but I can’t

@rayn Metabase does not cache the credentials. I think it has something to do with your setup, but it’s difficult to troubleshoot that without having much more information and exact steps-to-reproduce.

Hi Flamber.

After update to version 0.36.6 we start to receive this error.
Some users could not log in the application with their actual password.

image

username “Too many attempts! You must wait 249145 seconds before trying again.”}}

@AdrianoSM So either someone is attacking your server right now, which Metabase is preventing correctly, or you’re using a reverse-proxy but haven’t set the correct header, meaning that every login is listed as coming from the reverse-proxy:
https://github.com/metabase/metabase/blob/master/docs/operations-guide/environment-variables.md#mb_source_address_header
There’s no change in 0.36.6 in how throttling is handled, so which version did you upgrade from?

Hi Flamber!

We upgraded from 0.36.3 to 0.36.6

I’ll check this point about reverse-proxy.
It’s recommended to disable or reset passwords too?

@AdrianoSM Okay, there’s no changes to the throttle between those versions.

I don’t understand your question. Check your logs to figure out what is causing this.

[f4f849db-f32d-44bc-97c5-5b51be410b4b] 2020-10-05T15:20:38-03:00 DEBUG metabase.middleware.log GET /api/embed/dashboard//dashcard/20/card/26 202 [ASYNC: completed] 447.2 ms (17 chamadas ao banco de dados) Conexões de banco de dados do aplicativo: 1 / 15 Threads do Jetty: 2 / 50 (7 ocioso, 0 na fila) (116 total de threads ativas) Consultas ativas: 1 (0 na fila)
[f4f849db-f32d-44bc-97c5-5b51be410b4b] 2020-10-05T15:20:39-03:00 DEBUG metabase.middleware.log POST /api/session 400 1.1 ms (0 chamadas ao banco de dados)
{:errors {:username “Too many attempts! You must wait 96120 seconds before trying again.”}}

[f4f849db-f32d-44bc-97c5-5b51be410b4b] 2020-10-05T15:20:43-03:00 DEBUG metabase.middleware.log POST /api/session 400 993.4 µs (0 chamadas ao banco de dados)
{:errors {:username “Too many attempts! You must wait 96117 seconds before trying again.”}}

[f4f849db-f32d-44bc-97c5-5b51be410b4b] 2020-10-05T15:20:44-03:00 DEBUG metabase.middleware.log POST /api/session 400 975.5 µs (0 chamadas ao banco de dados)
{:errors {:username “Too many attempts! You must wait 96539 seconds before trying again.”}}

[f4f849db-f32d-44bc-97c5-5b51be410b4b] 2020-10-05T15:20:46-03:00 DEBUG metabase.middleware.log POST /api/session 400 1.1 ms (0 chamadas ao banco de dados)
{:errors {:username “Too many attempts! You must wait 96956 seconds before trying again.”}}

[f4f849db-f32d-44bc-97c5-5b51be410b4b] 2020-10-05T15:20:47-03:00 DEBUG metabase.middleware.log POST /api/session 400 1.6 ms (0 chamadas ao banco de dados)
{:errors {:username “Too many attempts! You must wait 97377 seconds before trying again.”}}

[f4f849db-f32d-44bc-97c5-5b51be410b4b] 2020-10-05T15:20:51-03:00 DEBUG metabase.middleware.log POST /api/session 400 1.1 ms (0 chamadas ao banco de dados)
{:errors {:username “Too many attempts! You must wait 97794 seconds before trying again.”}}

[f4f849db-f32d-44bc-97c5-5b51be410b4b] 2020-10-05T15:20:55-03:00 DEBUG metabase.middleware.log GET /api/dashboard/118 200 54.6 ms (29 chamadas ao banco de dados) Conexões de banco de dados do aplicativo: 1 / 15 Threads do Jetty: 3 / 50 (5 ocioso, 0 na fila) (115 total de threads ativas) Consultas ativas: 1 (0 na fila)

There’s some limitation in the requests per user?
We dont use reverse proxy. I’m checking the configuration too.

@AdrianoSM
Post “Diagnostic Info” from Admin > Troubleshooting.

{
“browser-info”: {
“language”: “pt-BR”,
“platform”: “Win32”,
“userAgent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36”,
“vendor”: “Google Inc.”
},
“system-info”: {
“file.encoding”: “UTF-8”,
“java.runtime.name”: “OpenJDK Runtime Environment”,
“java.runtime.version”: “11.0.8+10”,
“java.vendor”: “AdoptOpenJDK”,
“java.vendor.url”: “https://adoptopenjdk.net/”,
“java.version”: “11.0.8”,
“java.vm.name”: “OpenJDK 64-Bit Server VM”,
“java.vm.version”: “11.0.8+10”,
“os.name”: “Linux”,
“os.version”: “4.15.0-112-generic”,
“user.language”: “en”,
“user.timezone”: “America/Sao_Paulo”
},
“metabase-info”: {
“databases”: [
“googleanalytics”,
“sqlserver”
],
“hosting-env”: “unknown”,
“application-database”: “postgres”,
“application-database-details”: {
“database”: {
“name”: “PostgreSQL”,
“version”: “12.1”
},
“jdbc-driver”: {
“name”: “PostgreSQL JDBC Driver”,
“version”: “42.2.8”
}
},
“run-mode”: “prod”,
“version”: {
“date”: “2020-09-15”,
“tag”: “v0.36.6”,
“branch”: “release-0.36.x”,
“hash”: “cb258fb”
},
“settings”: {
“report-timezone”: “America/Sao_Paulo”
}
}
}

@AdrianoSM I don’t know what’s going wrong then, but if you can provide steps-to-reproduce, then please do. Downgrade to 0.36.3, since you weren’t having problems with that version.

I’m fairly sure that something is trying to login to your Metabase every 1-2 seconds. Check your network activity and firewall the problematic IPs.