Re: Chevereto v4.3.0 announcement

[SunnyBlueSkies]

Added restricted password reset after repeated failures

In Chevereto v4.3.0, the password-forgot action is now subject to the same failure limits as login and signup. After a number of failed attempts (25 by default), further requests from the same IP are blocked. This helps prevent abuse of the password reset functionality. The restriction system is IP-based and can be extended to other actions—contributions and suggestions are welcome.

What about flexibility and choice that perhaps a soft ban from the same IP in the event that the user error and truly wants to reset the password through this method but can't due to complications beyond their control.

 

[Rodolfo]

@SunnyBlueSkies

The current default is 25 in 24H which is more than enough to cover all these edge cases. This is not a new request log system, is the exact same failed-request protection we have already enabled for other systems we just extend it to cover more system actions now.

I've been self-lock a few times while servicing installations with issues, but preventing the request-log system to do its thing never was part of the solution as it is a protection system, like a fence.