Description
Issue 1: Ambiguity in Login Rate Limits
The code-server FAQ states:
code-server supports setting a single password and limits logins to two per minute plus an additional twelve per hour.
This language is somewhat ambiguous and leaves room for interpretation. For example:
- Are successful logins also part of the rate limit?
- Are failed logins excluded from the rate limit?
Proposed Solution
To clarify, the FAQ could be revised as follows:
code-server supports setting a single password and limits all logins (successful or unsuccessful) to two per minute plus an additional twelve per hour.
Issue 2: Configuration File Permissions
When starting code-server, the generated configuration file is created with permissions that allow other users on the system to view the file. This can potentially expose the user’s password.
Proposed Solution
- Ensure that the configuration file is created with stricter permissions, making it readable and writable only by the user running
code-server. - Alternatively, provide a clear warning in the documentation about this behavior so users can manually adjust permissions.
Additional Feature Suggestion
As someone who prioritizes tight security but does not want to limit successful logins, it would be ideal to:
- Customize rate limit settings.
- Configure integration with fail2ban for more comprehensive security.
These enhancements would provide significant benefits for users who require fine-grained control over security policies.