The problem

In many cases, it's perfectly acceptable to increase infractions monotonically. However, it may be desirable to clear a bad actor's infraction record on certain events before they're jailed. For example, I would like to be able to reset a requestor's infractions on a successful login, since there may be overriding reasons why infractions were made despite the client having the correct password.

This is also, for example, how Windows domain login works to determine account lockout.

Recommended Solution

A new function should be exposed on the Studio called ClearInfraction which allows clearing all infractions for a specific actor/rule combo.

I appreciate this. I'm not going to add this to BadActor currently. The more complexity I add the more it doesn't serve its niche. The more I add the more I fear it destabilizes what and who BadActor serves. It is super lightweight and made to add just enough friction to your web application or API or service, so that Attackers move on.

At this point, we start going down the path of a full cache. And that is when I'd suggest badgerio, or redis, or another KV store.

I hope that makes sense. Again, I appreciate this. Please don't take it personally.

That makes sense. If I wanted something that kept a detailed record of infractions and the ability to mutate them in more specialized ways, I would probably want to keep the data centralized in a separate service. Plus it could easily exacerbate problems in a multi-node architecture where one node has cleared infractions while other nodes still have infraction record for that particular actor.