Rate limiter also for normal login page?

[mibere]

I'm not sure if I understand the code correctly, but there seems to be a rate limiter also for normal login page:
https://github.com/zadam/trilium/blob/master/src/routes/routes.js#L103

But if I log in a dozen times in quick succession with an incorrect password on https://mydomain/login, I don't see any effects of the rate limiter. There's also no info/output in the browser console or the Trilium log regarding rate limiting.

Trilium 0.59.4

[zadam]

Hello, this is a bug. The logic page returned 200 (with error message) which meant it did not count towards the rate limit.

This is now fixed, thanks for bringing this up to my attention.

[Onionbai]

Hi, I met this problem, too. The login page returned "The password is incorrect, please try agin", but I tried more than 60 wrong password ,it still returned "The password is incorrect, please try agin".

In F12 view:
Setting device cookie to: desktop
DevTools failed to load source map: Could not load content for chrome-extension://dfhgmnfclbebfobmblelddiejjcijbjm/lib/browser-polyfill.js.map: System error: net::ERR_BLOCKED_BY_CLIENT. DevTools failed to load source map: Could not load content for http://127.0.0.1:9980/assets/v0.59.4/libraries/bootstrap/css/bootstrap.min.css.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE.

This is a fresh deployment in vmware with nothing in database except for a passwod, using v0.59.4 release.

[mibere]

@Onionbai It is fixed in v0.60.0-beta release

[Onionbai]

That‘s awesome, it returned "Too many requests, please try again later." Thank you.

[WeskerC]

@zadam Hi Zadam, I wonder if there is a "fail2ban"-like function which allows me to forbid brutal attacks from open web?

[mibere]

Thanks for the fix 👍 Now it works as expected.

Now I see Too many requests, please try again later and in the browser console
POST https://mydomain/login [HTTP/3 429 Too Many Requests 20ms]