Persist login rate limit attempts#1919
Closed
franksong2702 wants to merge 1 commit into
Closed
Conversation
Collaborator
|
Shipped in v0.51.29 via the Release F batch (release PR #1934, merge SHA 🚀 Release notes: https://github.com/nesquena/hermes-webui/releases/tag/v0.51.29 Thanks for the contribution! |
pull Bot
pushed a commit
to soitun/hermes-webui
that referenced
this pull request
May 8, 2026
…persistence + scroll/lineage fixes + i18n cleanup) Six-PR contributor batch: - PR nesquena#1919 (franksong2702): Persist login rate limit attempts (closes nesquena#1910) - PR nesquena#1920 (franksong2702): Remove dead Kanban start i18n key - PR nesquena#1921 (Michaelyklam): Production Docker image hardening (closes nesquena#1908) - PR nesquena#1926 (ai-ag2026): Prevent chat scroll resets after final render - PR nesquena#1927 (ai-ag2026): Preserve viewport when loading older messages - PR nesquena#1930 (ai-ag2026): Collapse stale compression sidebar segments Tests: 4947 → 4960 (+13 net new). Browser API harness all-green. Opus advisor: SHIP-READY. CHANGELOG conflict on nesquena#1919 auto-resolved during stage rebase (CHANGELOG took ours strategy).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Thinking Path
Issue #1910 points out that the login rate limiter currently stores failed attempts only in process memory. A server restart clears the window, weakening the limiter for deployments with password auth enabled.
What Changed
STATE_DIR/.login_attempts.json.os.replace, matching the existing session-cookie persistence pattern.0600permissions.Why It Matters
Password-auth deployments keep the same failed-attempt window across normal restarts instead of granting every IP a fresh bucket whenever the WebUI process restarts.
Verification
.venv_test/bin/python -m pytest -q tests/test_issue1910_login_attempt_persistence.py tests/test_sprint29.py::TestLoginRateLimitpython3 -m py_compile api/auth.pygit diff --checkRisks
Low. The limiter remains single-process and keeps the same threshold/window semantics. If the file is missing, malformed, or unwritable, the auth path falls back to the current in-memory behavior and logs at debug level.
Model Used
GPT-5 Codex via Codex CLI.
Closes #1910.