admin/Hermes-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add IP-based login brute-force protection (#531)

Browse Source 
* feat: add IP-based login brute-force protection

- Per-IP rate limiting: 3 failed login attempts locks the IP for 1 hour
- Separate counters for password login and token auth
- Global safety net: 20 req/min, hard lock after 50 total failures
- Persistent lock state to ~/.hermes-web-ui/.login-lock.json (survives restarts)
- Manual unlock: edit or delete the lock file
- Frontend handles 429/503 responses with localized error messages
- i18n support for 8 languages

* feat: add locked IP management endpoint and UI

- GET /api/auth/locked-ips: list all currently locked IPs (protected)
- DELETE /api/auth/locked-ips/:ip: unlock a specific IP (protected)
- DELETE /api/auth/locked-ips: unlock all IPs (protected)
- AccountSettings: shows locked IPs with remaining time, unlock buttons
- i18n support for 8 languages
- Clean up stale .js artifacts, add .gitignore rule

* fix: cross-type IP lock and IPv6-compatible unlock route

- Password and token login now share IP lock state: if an IP is locked
  by either method, ALL auth methods are blocked for that IP
- Changed unlock endpoint from path param to query param (?ip=xxx) to
  support IPv6 addresses containing colons
- Merged unlockIp and unlockAll into a single handler

* chore: increase global login rate limit from 20 to 100 requests per minute

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: ekko <fqsy1416@gmail.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
ccc
2026-05-08 18:29:43 +08:00
committed by GitHub
parent 6291f0d589
commit 4859c32045
17 changed files with 644 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/client/src/i18n/locales/de.ts
+11
View File
@@ -14,6 +14,7 @@ export default {
passwordPlaceholder: 'Passwort',
credentialsRequired: 'Bitte Benutzername und Passwort eingeben',
invalidCredentials: 'Ungultiger Benutzername oder Passwort',
tooManyAttempts: 'Zu viele fehlgeschlagene Versuche, bitte versuchen Sie es spater erneut',
passwordMismatch: 'Passworter stimmen nicht uberein',
passwordTooShort: 'Passwort muss mindestens 6 Zeichen lang sein',
setupSuccess: 'Passwort-Login erfolgreich konfiguriert',
@@ -519,6 +520,16 @@ jobTriggered: 'Job ausgelost',
cors: 'CORS-Ursprunge',
corsHint: 'Erlaubte Cross-Origin-Quellen',
},
lockedIps: {
title: 'Gesperrte IPs',
count: '{count} gesperrt',
empty: 'Keine gesperrten IPs',
unlock: 'Entsperren',
unlockAll: 'Alle entsperren',
unlockAllConfirm: 'Alle gesperrten IPs entsperren?',
unlocked: 'IP entsperrt',
allUnlocked: '{count} IPs entsperrt',
},
},
// Platform channel settings