Skip to content

[Feature] Allow modify and disable DefaultMaxAuthRetries in auth #1943

New issue
New issue
Open
Open
[Feature] Allow modify and disable DefaultMaxAuthRetries in auth#1943
Labels
enhancement
@Ecss11

Description

@Ecss11
Ecss11
opened on Jan 9, 2026

Please confirm the following

  • I have read and agree to AGPL-3.0 Section 15.
    The program is provided "as is" without any warranties; you bear all risks of using it.

  • I have read and agree to AGPL-3.0 Section 16.
    The copyright holders and distributors are not liable for any damages resulting from the use or inability to use the program.

  • I confirm my description is clear, polite, helps developers quickly locate the issue, and complies with community rules.

  • I have read the OpenList documentation.

  • I confirm there are no duplicate issues or discussions.

  • I believe this issue must be handled by OpenList and not by a third party.

  • I confirm this feature has not been implemented yet.

  • I confirm this feature is reasonable and has general demand, not just my personal need.

Feature Description

I deployed the openlist with a frp proxy to the proxy server. When a user had multiple failed auth request it will blocks all login requests from all users due to the auth mechanism, which will treated the proxy server address as a single instance. The following code was captured from the server/handles/auth.go,

// check count of login
ip := c.ClientIP()
count, ok := model.LoginCache.Get(ip)
if ok && count >= model.DefaultMaxAuthRetries {
	common.ErrorStrResp(c, "Too many unsuccessful sign-in attempts have been made using an incorrect username or password, Try again later.", 429)
	model.LoginCache.Expire(ip, model.DefaultLockDuration)
	return
}

Also the hardcoded retry time in internal/model/user,

var (
	DefaultLockDuration   = time.Minute * 5
	DefaultMaxAuthRetries = 5
)

It will be a pleasure, if such options can be added to allow user to decide whether not if they want the login count to be enabled. Furthermore, please let me know if there is a better solution to it.

Suggested Solution

Adding a condition statement will be enough for switching the max retry option,

// check count of login
ip := c.ClientIP()
count, ok := model.LoginCache.Get(ip)
if (ok && count >= model.DefaultMaxAuthRetries) && setting.GetStr(conf.EnableMaxRetries) {
	common.ErrorStrResp(c, "Too many unsuccessful sign-in attempts have been made using an incorrect username or password, Try again later.", 429)
	model.LoginCache.Expire(ip, model.DefaultLockDuration)
	return
}

Which will also required change in internal/bootstrap/data/setting.go and internal/conf/const.go for the config value. Similar change can be apply on max retries

Additional Information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions