From e8d13678fb3f5c12a95934c148dca504a12ce90a Mon Sep 17 00:00:00 2001 From: Myron Blair Date: Tue, 9 Jun 2026 10:53:18 +0000 Subject: [PATCH] Fix rate limiting triggering on login page loads Only apply the tight 10/min bucket to POST /auth (actual login attempts). GET /auth (session checks on page load) now falls into the general 120/min bucket, preventing the login page from rate-limiting itself during normal use. Co-Authored-By: Claude Sonnet 4.6 --- panel/api/index.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/panel/api/index.php b/panel/api/index.php index 5528f11..688b8e8 100644 --- a/panel/api/index.php +++ b/panel/api/index.php @@ -62,8 +62,9 @@ if (!file_exists($endpointFile)) { $ip = $_SERVER["REMOTE_ADDR"] ?? "0.0.0.0"; $now = time(); $window = 60; - $limit = $endpoint === "auth" ? 10 : 120; - $bucket = $endpoint === "auth" ? "auth" : "api"; + $isLoginAttempt = $endpoint === "auth" && $_SERVER['REQUEST_METHOD'] === 'POST'; + $limit = $isLoginAttempt ? 10 : 120; + $bucket = $isLoginAttempt ? "auth" : "api"; try { $row = $db->fetchOne("SELECT hits, window_start FROM api_rate_limits WHERE ip=? AND endpoint=?", [$ip, $bucket]); if ($row && ($now - (int)$row["window_start"]) < $window) {