c325c6d8e9
Add account version tags to cookies ( #5563 )
...
* feat: add user account version to session cookie
Co-authored-by: Copilot <copilot@github.com >
* feat: include user handle in account version hash calculation
* feat: refactor recovery code generation to use a dedicated function
* fix: don't overwrite current session version if updating another user
Co-authored-by: Copilot <copilot@github.com >
* fix: reset session version instead of nullifying the entire session
* fix: short circuit and clear cookie on request invalidation
Co-authored-by: Copilot <copilot@github.com >
* fix: update account version on recovery
---------
Co-authored-by: Copilot <copilot@github.com >
2026-05-02 17:07:57 +03:00
b2fa6a0afb
Add rate limit to basic auth middleware ( #5504 )
...
* feat: add rate limiting to basic auth flow
* fix: round up retry-after duration
* feat: enhance point consume logic
* fix: move unauthorized webpage reading inside response function
* refactor: move getIpAddress to express-common
* fix: check for rate limit before checking creds
* fix: use correct rate limit pattern in /recover-step2
* feat: handle CF forwarded IP header in rate limit, whitelist and access logger
* feat: add individual config toggles for forwarded headers
* feat: enhance IP address retrieval to include forwarded IP for access logging
* chore: clean-up diff
* fix: don't consume points for missing credentials
* feat: log rate limited method and URL
Co-authored-by: Copilot <copilot@github.com >
* feat: make rate limiter points configurable
Co-authored-by: Copilot <copilot@github.com >
* feat: implement retry-after header for rate limiting responses
Co-authored-by: Copilot <copilot@github.com >
---------
Co-authored-by: Copilot <copilot@github.com >
2026-05-01 00:09:24 +03:00
67d013e40a
Use default middleware for parsing request body
2025-03-10 00:48:58 +02:00
eb31d7baa2
Merge branch 'staging' into immutable-config
2025-02-20 21:54:41 +02:00
3f03936125
Add config value type converters for numbers and booleans
2025-02-20 21:53:48 +02:00
3f5b63bba0
Feature: Add configurable X-Real-IP header support for rate limiting ( #3504 )
...
* fix: correct client IP detection behind reverse proxy
* Revert "fix: correct client IP detection behind reverse proxy"
This reverts commit 72075062402eadb32c9e349df9bc92bfe4546ce3.
* feat: support X-Real-IP header for reverse proxy setups
* feat: add option to use x-real-ip for rate limiting behind reverse proxy
* docs: update rate limiting configuration comments for X-Real-IP usage
* refactor: extract getIpAddress function to reduce code duplication
* revert(whitelist): rate limit settings shouldn't affect whitelist
2025-02-20 21:11:44 +02:00
0c8a11e28b
Further loglevel updates
...
1. Fix missed endpoints
2. Exclude console.log from loglevel
2025-02-02 15:40:37 +02:00
a5399b6614
Sparser use of .error
2025-02-02 03:47:04 -05:00
1f9fa74786
Rewritten minLogLevel feature
2025-01-15 10:02:32 -05:00
e55748fe92
Fix Date constructor call
2024-12-05 18:55:17 +02:00
4466da63bc
Update users-public.js
...
Replace session touch timestamp with Date()
2024-12-03 14:56:40 -05:00
c3f988f246
Update users-public.js
...
Better/more detailed console output for multi-user installs
2024-12-03 01:09:41 -05:00
a0e6030836
Simplify node imports
2024-10-11 00:28:17 +03:00
1616e7e067
Explicitly import Buffer. Specify jsdoc local extensions
2024-10-10 23:36:22 +03:00
d52b4fbbde
Node: Migrate to ES Modules
2024-10-10 22:37:22 +03:00
1a372abaff
Customizable avatars for users
2024-04-13 17:52:37 +03:00
dcd89f2295
Fix public facing messages
2024-04-13 00:13:36 +03:00
53386b35c9
Make Reset account functional
2024-04-13 00:11:20 +03:00
2306a4e34d
Add discreet login mode
2024-04-10 22:00:08 +03:00
411a8ef8a7
Enable CSRF for public endpoints. Split users module. Add rate limiter.
2024-04-09 21:58:16 +03:00
Cohee