RyderTech/nlcc-itinerary
1
0
Fork 0
Code Issues Pull Requests Packages Activity

fix: Align account lockout threshold with IP rate limiting

Browse Source 
Fixed inconsistency between IP-based rate limiting and per-account lockout.
Previously, users would hit the IP rate limit at 5 attempts (15 min lockout)
but the account wouldn't be marked as locked until 10 attempts (30 min).
This caused confusion in the admin UI where locked accounts wouldn't show
the unlock button until 10 attempts were reached.

Changes:
- Reduced account lockout threshold from 10 to 5 failed attempts
- Reduced account lockout duration from 30 to 15 minutes
- Updated error message to reflect 15 minute lockout period
- Added detailed logging when account gets locked
- Updated README documentation to reflect correct limits

Both protection layers now work in harmony:
- IP-based rate limiting: 5 attempts = 15 min lockout
- Per-account lockout: 5 attempts = 15 min lock

This ensures the admin UI accurately shows account lock status and provides
the unlock option as soon as users hit the lockout threshold.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Joshua Ryder
2025-11-05 18:32:17 -05:00
parent c7142ca6a5
commit 4aaeb0d579
3 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
server/utils/database.ts
View File

@@ -469,17 +469,19 @@ export function incrementFailedAttempts(username: string): void {
if (!user) return
const newAttempts = (user.failed_login_attempts || 0) + 1
const maxAttempts = 10
const maxAttempts = 5 // Aligned with IP rate limiting
if (newAttempts >= maxAttempts) {
// Lock account for 30 minutes
const lockUntil = new Date(Date.now() + 30 * 60 * 1000).toISOString()
// Lock account for 15 minutes (aligned with IP rate limiting)
const lockUntil = new Date(Date.now() + 15 * 60 * 1000).toISOString()
db.prepare('UPDATE users SET failed_login_attempts = ?, locked_until = ? WHERE username = ?')
.run(newAttempts, lockUntil, username)
console.log(`[ACCOUNT LOCKED] User ${username} locked after ${newAttempts} failed attempts until ${lockUntil}`)
} else {
// Just increment counter
db.prepare('UPDATE users SET failed_login_attempts = ? WHERE username = ?')
.run(newAttempts, username)
console.log(`[ACCOUNT SECURITY] Failed login attempt #${newAttempts} for user: ${username}`)
}
}