SECURITY UPDATE

* Handle failed login attempts via Telnet * New lockout features for >= N failed attempts * New auto-unlock over email feature * New auto-unlock after N minutes feature * Code cleanup in users * Add user_property.js - start using consts for user properties. Clean up over time. * Update email docs
2025-06-10 14:44:40 +02:00 · 2018-11-22 23:07:37 -07:00 · 2018-11-22 23:07:37 -07:00 · df2bf4477e
commit df2bf4477e
parent f18b023652
18 changed files with 401 additions and 100 deletions
--- a/core/config.js
+++ b/core/config.js
@ -172,7 +172,6 @@ function getDefaultConfig() {

            //  :TODO: closedSystem and loginAttemps prob belong under users{}?
            closedSystem    : false,                    //  is the system closed to new users?
-            loginAttempts   : 3,

            menuFile        : 'menu.hjson',     //  'oputil.js config new' will set this appropriately in config.hjson; may be full path
            promptFile      : 'prompt.hjson',   //  'oputil.js config new' will set this appropriately in config.hjson; may be full path
@ -217,6 +216,13 @@ function getDefaultConfig() {

            preAuthIdleLogoutSeconds    : 60 * 3,   //  3m
            idleLogoutSeconds           : 60 * 6,   //  6m
+
+            failedLogin : {
+                disconnect          : 3,            //  0=disabled
+                lockAccount         : 9,            //  0=disabled; Mark user status as "locked" if >= N
+                autoUnlockMinutes   : 60 * 6,       //  0=disabled; Auto unlock after N minutes.
+            },
+            unlockAtEmailPwReset    : true,         //  if true, password reset via email will unlock locked accounts
        },

        theme : {