Fix rate limiting triggering on login page loads

Only apply the tight 10/min bucket to POST /auth (actual login attempts).
GET /auth (session checks on page load) now falls into the general 120/min
bucket, preventing the login page from rate-limiting itself during normal use.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-06-09 10:53:18 +00:00
parent 4409a94d78
commit e8d13678fb
+3 -2
View File
@@ -62,8 +62,9 @@ if (!file_exists($endpointFile)) {
$ip = $_SERVER["REMOTE_ADDR"] ?? "0.0.0.0"; $ip = $_SERVER["REMOTE_ADDR"] ?? "0.0.0.0";
$now = time(); $now = time();
$window = 60; $window = 60;
$limit = $endpoint === "auth" ? 10 : 120; $isLoginAttempt = $endpoint === "auth" && $_SERVER['REQUEST_METHOD'] === 'POST';
$bucket = $endpoint === "auth" ? "auth" : "api"; $limit = $isLoginAttempt ? 10 : 120;
$bucket = $isLoginAttempt ? "auth" : "api";
try { try {
$row = $db->fetchOne("SELECT hits, window_start FROM api_rate_limits WHERE ip=? AND endpoint=?", [$ip, $bucket]); $row = $db->fetchOne("SELECT hits, window_start FROM api_rate_limits WHERE ip=? AND endpoint=?", [$ip, $bucket]);
if ($row && ($now - (int)$row["window_start"]) < $window) { if ($row && ($now - (int)$row["window_start"]) < $window) {