Activity Log: backend v2.8.90 — login lockout off by default (env-gated)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
moojttaba
2026-06-05 10:50:09 +03:30
parent a4ded94ae2
commit 14d9b7388e

View File

@@ -11,6 +11,15 @@ entries on top. Maintained by agents per the rule in `../AGENTS.md`.
--- ---
### 2026-06-05 — backend@v2.8.90 — Login failed-attempt lockout now OFF by default (env-gated)
**Commits:** backend v2.8.90
**Touched:** `services/auth/authController.ts` (`login`)
**Why:** Rapid multi-account testing repeatedly tripped the email-based login lockout (5 fails / 15 min → HTTP 429), locking out even correct passwords. Gated the whole lockout behind `LOGIN_RATE_LIMIT_ENABLED`: when not `'true'` (the default) the login skips both the `checkLoginAttempts` 429 gate AND the per-email `incrementFailedLoginAttempt` increments (via a `trackFailedLogin()` helper), so a stale Redis lockout is ignored too. **Security note:** this disables brute-force protection on the password login by default — set `LOGIN_RATE_LIMIT_ENABLED=true` in the environment to restore it. Telegram-auth and password-reset rate limits are unchanged.
**Verification:** backend `npx tsc --noEmit` clean. After deploy: password login no longer returns 429 / locks out; setting the env flag re-enables the limiter.
---
### 2026-06-05 — backend@v2.8.89 — Gamification: extend levels from 5 to 10 tiers ### 2026-06-05 — backend@v2.8.89 — Gamification: extend levels from 5 to 10 tiers
**Commits:** backend v2.8.89 **Commits:** backend v2.8.89