patching that anyone was able to lock out anyone of their account at will

This commit is contained in:
2026-05-11 03:28:33 +02:00
parent 4390a9eca2
commit 3d7361b771

View File

@@ -40,7 +40,7 @@ export default (router, tpl) => {
return fail("Invalid username or password.");
}
if (await security.isRateLimited(ip, username, 'login')) {
if (await security.isRateLimited(ip, null, 'login')) {
const msg = "Too many attempts.";
if (req.headers['x-requested-with'] === 'XMLHttpRequest' || (req.headers.accept && req.headers.accept.includes('application/json'))) {
return res.writeHead(429, { 'Content-Type': 'application/json' }).end(JSON.stringify({ success: false, msg }));