From 3d7361b771684cf05a3dbccf1121bdd2927509a6 Mon Sep 17 00:00:00 2001 From: Kibi Kelburton Date: Mon, 11 May 2026 03:28:33 +0200 Subject: [PATCH] patching that anyone was able to lock out anyone of their account at will --- src/inc/routes/admin.mjs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/inc/routes/admin.mjs b/src/inc/routes/admin.mjs index 8bafb1c..4198027 100644 --- a/src/inc/routes/admin.mjs +++ b/src/inc/routes/admin.mjs @@ -40,7 +40,7 @@ export default (router, tpl) => { return fail("Invalid username or password."); } - if (await security.isRateLimited(ip, username, 'login')) { + if (await security.isRateLimited(ip, null, 'login')) { const msg = "Too many attempts."; if (req.headers['x-requested-with'] === 'XMLHttpRequest' || (req.headers.accept && req.headers.accept.includes('application/json'))) { return res.writeHead(429, { 'Content-Type': 'application/json' }).end(JSON.stringify({ success: false, msg }));