apunkt/SurfSense
1
0
Fork 0
mirror of https://github.com/MODSetter/SurfSense.git synced 2026-05-04 21:32:39 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

feat: implement rate limiting for authentication endpoints and enhance error handling for login attempts

Browse source
This commit is contained in:
Anish Sarkar 2026-02-08 18:08:56 +05:30
parent 54b4501ca6
commit 79f004bbb1
6 changed files with 3374 additions and 3226 deletions
Download patch file Download diff file Expand all files Collapse all files

6
surfsense_backend/app/users.py
View file

@ -192,6 +192,9 @@ class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
except UserNotExists:
# Still hash the password to mitigate timing attacks
self.password_helper.hash(credentials.password)
logger.warning(
f"Login attempt for non-existent account: {credentials.username}"
)
raise HTTPException(
status_code=400,
detail="LOGIN_USER_NOT_FOUND",
@ -201,6 +204,9 @@ class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
credentials.password, user.hashed_password
)
if not verified:
logger.warning(
f"Failed login attempt (wrong password) for user: {user.id}"
)
return None
if updated_password_hash is not None:
await self.user_db.update(user, {"hashed_password": updated_password_hash})