From 65ecca8c612fab52a1a6070821daa65c35776f70 Mon Sep 17 00:00:00 2001 From: Kibi Kelburton Date: Tue, 5 May 2026 19:52:04 +0200 Subject: [PATCH] fix --- src/inc/routes/admin.mjs | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/src/inc/routes/admin.mjs b/src/inc/routes/admin.mjs index a281ded..8bafb1c 100644 --- a/src/inc/routes/admin.mjs +++ b/src/inc/routes/admin.mjs @@ -26,7 +26,17 @@ export default (router, tpl) => { const username = req.post.username; const password = req.post.password; - if (!password || password.length < 20) { + const fail = async (msg) => { + await security.recordAttempt(ip, username, 'login', false); + // Artificial delay to prevent timing attacks and slow down brute-force + await new Promise(resolve => setTimeout(resolve, 1000)); + if (req.headers['x-requested-with'] === 'XMLHttpRequest' || (req.headers.accept && req.headers.accept.includes('application/json'))) { + return res.writeHead(200, { 'Content-Type': 'application/json' }).end(JSON.stringify({ success: false, msg })); + } + return res.reply({ body: tpl.render("login", { error: msg, theme: req.theme }) }); + }; + + if (!username || !password || password.length < 20) { return fail("Invalid username or password."); } @@ -45,15 +55,6 @@ export default (router, tpl) => { limit 1 `; - const fail = async (msg) => { - await security.recordAttempt(ip, username, 'login', false); - // Artificial delay to prevent timing attacks and slow down brute-force - await new Promise(resolve => setTimeout(resolve, 1000)); - if (req.headers['x-requested-with'] === 'XMLHttpRequest' || (req.headers.accept && req.headers.accept.includes('application/json'))) { - return res.writeHead(200, { 'Content-Type': 'application/json' }).end(JSON.stringify({ success: false, msg })); - } - return res.reply({ body: tpl.render("login", { error: msg, theme: req.theme }) }); - }; if (user.length === 0) return fail("user doesn't exist or wrong password");