patching that anyone was able to lock out anyone of their account at will
This commit is contained in:
@@ -40,7 +40,7 @@ export default (router, tpl) => {
|
|||||||
return fail("Invalid username or password.");
|
return fail("Invalid username or password.");
|
||||||
}
|
}
|
||||||
|
|
||||||
if (await security.isRateLimited(ip, username, 'login')) {
|
if (await security.isRateLimited(ip, null, 'login')) {
|
||||||
const msg = "Too many attempts.";
|
const msg = "Too many attempts.";
|
||||||
if (req.headers['x-requested-with'] === 'XMLHttpRequest' || (req.headers.accept && req.headers.accept.includes('application/json'))) {
|
if (req.headers['x-requested-with'] === 'XMLHttpRequest' || (req.headers.accept && req.headers.accept.includes('application/json'))) {
|
||||||
return res.writeHead(429, { 'Content-Type': 'application/json' }).end(JSON.stringify({ success: false, msg }));
|
return res.writeHead(429, { 'Content-Type': 'application/json' }).end(JSON.stringify({ success: false, msg }));
|
||||||
|
|||||||
Reference in New Issue
Block a user