mirror of
https://github.com/myronblair/novacpx
synced 2026-06-30 17:50:41 -05:00
Fix rate limiting triggering on login page loads
Only apply the tight 10/min bucket to POST /auth (actual login attempts). GET /auth (session checks on page load) now falls into the general 120/min bucket, preventing the login page from rate-limiting itself during normal use. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+3
-2
@@ -62,8 +62,9 @@ if (!file_exists($endpointFile)) {
|
|||||||
$ip = $_SERVER["REMOTE_ADDR"] ?? "0.0.0.0";
|
$ip = $_SERVER["REMOTE_ADDR"] ?? "0.0.0.0";
|
||||||
$now = time();
|
$now = time();
|
||||||
$window = 60;
|
$window = 60;
|
||||||
$limit = $endpoint === "auth" ? 10 : 120;
|
$isLoginAttempt = $endpoint === "auth" && $_SERVER['REQUEST_METHOD'] === 'POST';
|
||||||
$bucket = $endpoint === "auth" ? "auth" : "api";
|
$limit = $isLoginAttempt ? 10 : 120;
|
||||||
|
$bucket = $isLoginAttempt ? "auth" : "api";
|
||||||
try {
|
try {
|
||||||
$row = $db->fetchOne("SELECT hits, window_start FROM api_rate_limits WHERE ip=? AND endpoint=?", [$ip, $bucket]);
|
$row = $db->fetchOne("SELECT hits, window_start FROM api_rate_limits WHERE ip=? AND endpoint=?", [$ip, $bucket]);
|
||||||
if ($row && ($now - (int)$row["window_start"]) < $window) {
|
if ($row && ($now - (int)$row["window_start"]) < $window) {
|
||||||
|
|||||||
Reference in New Issue
Block a user