RyderTech/nlcc-itinerary
1
0
Fork 0
Code Issues Pull Requests Packages Activity

fix: Clear IP rate limits when admin unlocks account

Browse Source 
When an admin manually unlocks an account, both the account-level
lockout and all IP-based rate limits for the login endpoint are now
cleared. This ensures legitimate users can immediately attempt to
login after being unlocked, without being blocked by stale rate
limit cache entries.

Changes:
- Added clearAllRateLimitsForEndpoint() function to database utils
- Modified unlock endpoint to clear login rate limits after unlocking
- Updated success message to reflect rate limit clearing
- Enhanced logging to track rate limit clearing operations

Fixes issue where users would see "Too many login attempts" message
even with correct credentials after admin unlock, due to persistent
IP rate limit cache from previous failed attempts.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Joshua Ryder
2025-11-06 07:53:36 -05:00
parent 4aaeb0d579
commit 0126b7e835
2 changed files with 19 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
server/api/users/unlock/[id].post.ts
View File

@@ -1,4 +1,4 @@
import { unlockAccount, getUserByUsername, getDatabase } from '~/server/utils/database'
import { unlockAccount, getUserByUsername, getDatabase, clearAllRateLimitsForEndpoint } from '~/server/utils/database'
import { getSessionUsername } from '~/server/utils/auth'
export default defineEventHandler(async (event) => {
@@ -41,14 +41,18 @@ export default defineEventHandler(async (event) => {
})
}
// Unlock the account
// Unlock the account (resets account-level lockout)
unlockAccount(id)
console.log(`[ACCOUNT UNLOCKED] Admin ${username} unlocked account: ${targetUser.username}`)
// Clear ALL IP-based rate limits for the login endpoint
// This ensures the user can immediately attempt to login without being blocked by stale rate limits
clearAllRateLimitsForEndpoint('login')
console.log(`[ACCOUNT UNLOCKED] Admin ${username} unlocked account: ${targetUser.username} and cleared all login rate limits`)
return {
success: true,
message: `Account unlocked successfully. Failed attempts reset to 0.`,
message: `Account unlocked successfully. Failed attempts and rate limits have been reset.`,
user: {
username: targetUser.username,
previousAttempts: targetUser.failed_login_attempts,