Setting BAN_VIOLATIONS=false has no effect on login violation bans

[georgenmatthew]

What happened?

Setting BAN_VIOLATIONS=false works as expected for violations such as NON_BROWSER_VIOLATION, but seems to have no effect on LOGIN_VIOLATION.

Additionally, when an IP is banned for Too many login attempts, please try again after 5 minutes, this ban does not seem to be logged anywhere.

Is rate limiting a separate mechanism from the other ban types? If yes, this is unclear in the documentation.

I experienced an issue where an incorrectly configured TRUST_PROXY setting caused all traffic to appear to be coming from the same IP, which belonged to a load balancer sitting in front of LibreChat. This IP was prone to being blocked by rate limiting if several legitimate users attempted to sign in within the rate limiting window.

While investigating the root cause, I made an attempt at a temporary workaroud using BAN_VIOLATIONS=false, but this had no effect.

Properly setting the TRUST_PROXY environment variable helped to resolve the issue. Now, I am looking for clarification on whether setting BAN_VIOLATIONS=false should apply to the login rate limiting, or how login rate limiting can be disabled.

Additionally, while I observed violation and ban logs for things like NON_BROWSER_VIOLATION, I was unable to find any logs for login rate limiting. Where is this logged?

Thank you!!

Version Information

0.8.0-rc3

Steps to Reproduce

1. Use default moderation values from .env.example except change: BAN_VIOLATIONS=false
2. Attempt to rapidly log in/out greater than 7 times in a 5 minute window per default configuration:

LOGIN_MAX=7
LOGIN_WINDOW=5

5. Observe error
   429: Too Many Requests

{"message":"Too many login attempts, please try again after 5 minutes."}

What browsers are you seeing the problem on?

Firefox

Relevant log output

no related log output found

Screenshots

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

Additionally, when an IP is banned for Too many login attempts, please try again after 5 minutes, this ban does not seem to be logged anywhere.

Is rate limiting a separate mechanism from the other ban types? If yes, this is unclear in the documentation.

Yes, it's a separate mechanism. It's discussed here:

https://www.librechat.ai/docs/features/mod_system#login-and-registration-rate-limiting

Env. variables here:

https://www.librechat.ai/docs/features/mod_system#login-and-registration-rate-limiting

[georgenmatthew]

Thank you! I think this answers all of my questions except: where are login rate limiting actions logged?