admin/Hermes-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add IP-based login brute-force protection (#531)

Browse Source 
* feat: add IP-based login brute-force protection

- Per-IP rate limiting: 3 failed login attempts locks the IP for 1 hour
- Separate counters for password login and token auth
- Global safety net: 20 req/min, hard lock after 50 total failures
- Persistent lock state to ~/.hermes-web-ui/.login-lock.json (survives restarts)
- Manual unlock: edit or delete the lock file
- Frontend handles 429/503 responses with localized error messages
- i18n support for 8 languages

* feat: add locked IP management endpoint and UI

- GET /api/auth/locked-ips: list all currently locked IPs (protected)
- DELETE /api/auth/locked-ips/:ip: unlock a specific IP (protected)
- DELETE /api/auth/locked-ips: unlock all IPs (protected)
- AccountSettings: shows locked IPs with remaining time, unlock buttons
- i18n support for 8 languages
- Clean up stale .js artifacts, add .gitignore rule

* fix: cross-type IP lock and IPv6-compatible unlock route

- Password and token login now share IP lock state: if an IP is locked
  by either method, ALL auth methods are blocked for that IP
- Changed unlock endpoint from path param to query param (?ip=xxx) to
  support IPv6 addresses containing colons
- Merged unlockIp and unlockAll into a single handler

* chore: increase global login rate limit from 20 to 100 requests per minute

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: ekko <fqsy1416@gmail.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
ccc
2026-05-08 18:29:43 +08:00
committed by GitHub
parent 6291f0d589
commit 4859c32045
17 changed files with 644 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/client/src/views/LoginView.vue
+11 -1
View File
@@ -67,6 +67,12 @@ async function handleTokenLogin() {
return;
}
if (res.status === 429 || res.status === 503) {
errorMsg.value = t("login.tooManyAttempts");
loading.value = false;
return;
}
setApiKey(key);
router.replace("/hermes/chat");
} catch {
@@ -90,7 +96,11 @@ async function handlePasswordLogin() {
setApiKey(sessionToken);
router.replace("/hermes/chat");
} catch (err: any) {
errorMsg.value = err.message || t("login.invalidCredentials");
if (err.status === 429 || err.status === 503) {
errorMsg.value = t("login.tooManyAttempts");
} else {
errorMsg.value = err.message || t("login.invalidCredentials");
}
} finally {
loading.value = false;
}