From 14d9b7388e1ce4b0cf06f36510d4f35c938de876 Mon Sep 17 00:00:00 2001 From: moojttaba Date: Fri, 5 Jun 2026 10:50:09 +0330 Subject: [PATCH] =?UTF-8?q?Activity=20Log:=20backend=20v2.8.90=20=E2=80=94?= =?UTF-8?q?=20login=20lockout=20off=20by=20default=20(env-gated)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Opus 4.8 (1M context) --- 09 - Audits/Activity Log.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/09 - Audits/Activity Log.md b/09 - Audits/Activity Log.md index 560d4da..dfc9dcb 100644 --- a/09 - Audits/Activity Log.md +++ b/09 - Audits/Activity Log.md @@ -11,6 +11,15 @@ entries on top. Maintained by agents per the rule in `../AGENTS.md`. --- +### 2026-06-05 — backend@v2.8.90 — Login failed-attempt lockout now OFF by default (env-gated) + +**Commits:** backend v2.8.90 +**Touched:** `services/auth/authController.ts` (`login`) +**Why:** Rapid multi-account testing repeatedly tripped the email-based login lockout (5 fails / 15 min → HTTP 429), locking out even correct passwords. Gated the whole lockout behind `LOGIN_RATE_LIMIT_ENABLED`: when not `'true'` (the default) the login skips both the `checkLoginAttempts` 429 gate AND the per-email `incrementFailedLoginAttempt` increments (via a `trackFailedLogin()` helper), so a stale Redis lockout is ignored too. **Security note:** this disables brute-force protection on the password login by default — set `LOGIN_RATE_LIMIT_ENABLED=true` in the environment to restore it. Telegram-auth and password-reset rate limits are unchanged. +**Verification:** backend `npx tsc --noEmit` clean. After deploy: password login no longer returns 429 / locks out; setting the env flag re-enables the limiter. + +--- + ### 2026-06-05 — backend@v2.8.89 — Gamification: extend levels from 5 to 10 tiers **Commits:** backend v2.8.89