Joshua Ryder
4aaeb0d579
Fixed inconsistency between IP-based rate limiting and per-account lockout. Previously, users would hit the IP rate limit at 5 attempts (15 min lockout) but the account wouldn't be marked as locked until 10 attempts (30 min). This caused confusion in the admin UI where locked accounts wouldn't show the unlock button until 10 attempts were reached. Changes: - Reduced account lockout threshold from 10 to 5 failed attempts - Reduced account lockout duration from 30 to 15 minutes - Updated error message to reflect 15 minute lockout period - Added detailed logging when account gets locked - Updated README documentation to reflect correct limits Both protection layers now work in harmony: - IP-based rate limiting: 5 attempts = 15 min lockout - Per-account lockout: 5 attempts = 15 min lock This ensures the admin UI accurately shows account lock status and provides the unlock option as soon as users hit the lockout threshold. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
20 KiB
20 KiB