[GH-ISSUE #1022] Login ratelimit #660

New issue

Open

opened 2026-03-02 16:00:37 +03:00 by kerem · 4 comments

kerem commented

2026-03-02 16:00:37 +03:00

Owner

Originally created by @ririko5834 on GitHub (Apr 14, 2023).
Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/1022

Is there a way to set some rate-limit for login form? This can prevent brute-force attacks to guess usernames and passwords.

Originally created by @ririko5834 on GitHub (Apr 14, 2023). Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/1022 Is there a way to set some rate-limit for login form? This can prevent brute-force attacks to guess usernames and passwords.

kerem commented

2026-03-02 16:00:38 +03:00

Author

Owner

@ner00 commented on GitHub (May 27, 2023):

Most options would rely on a counter being stored either on a database or on a session variable; a database would increase the dependency on a DBMS, a session counter could be ignored/reset by the attacker.

I've added 2FA authentication in mine (although requires a device like smartphone, etc). I was supposed to add 2FA options interactively, but didn't have the time or patience to get around doing that so the setup is mostly static. Here's the commit where I introduced 2FA in one of my branches: github.com/prasathmani/tinyfilemanager@af2a70d51f, and also this fix to the previous commit github.com/prasathmani/tinyfilemanager@b0a2e20f32

@ner00 commented on GitHub (May 27, 2023): Most options would rely on a counter being stored either on a database or on a session variable; a database would increase the dependency on a DBMS, a session counter could be ignored/reset by the attacker. I've added 2FA authentication in mine (although requires a device like smartphone, etc). I was supposed to add 2FA options interactively, but didn't have the time or patience to get around doing that so the setup is mostly static. Here's the commit where I introduced 2FA in one of my branches: https://github.com/prasathmani/tinyfilemanager/commit/af2a70d51fb4d0cf6499bd99f2e7d9230dbc4981, and also this fix to the previous commit https://github.com/prasathmani/tinyfilemanager/commit/b0a2e20f3224de32276ea88680790075ea07f346

kerem commented

2026-03-02 16:00:38 +03:00

Author

Owner

@ririko5834 commented on GitHub (May 28, 2023):

Can you PR that? Also when talking about 2FA, support for hardware keys should be added

@ririko5834 commented on GitHub (May 28, 2023): Can you PR that? Also when talking about 2FA, support for hardware keys should be added

kerem commented

2026-03-02 16:00:38 +03:00

Author

Owner

@ner00 commented on GitHub (May 28, 2023):

Can you PR that?

I don't feel confident in the way it is implemented, if I do make it cleaner like I was supposed to then sure, I might. Anyone is free to do it though. Things I want to see done first (especially the first couple ones):

Clear with author how he feels about adding a dependency to an otherwise monolith application;
Toggle function in settings;
Request 2FA only after user/password login to decide if user's 2FA needs to be initialized first or not;
Do more research to see if there are better 2FA classes than the one I used.

hardware keys should be added

I don't own any, so I couldn't test that, maybe someone else could do that.

@ner00 commented on GitHub (May 28, 2023): > Can you PR that? I don't feel confident in the way it is implemented, if I do make it cleaner like I was supposed to then sure, I might. Anyone is free to do it though. Things I want to see done first (especially the first couple ones): - Clear with author how he feels about adding a dependency to an otherwise monolith application; - Toggle function in settings; - Request 2FA only after user/password login to decide if user's 2FA needs to be initialized first or not; - Do more research to see if there are better 2FA classes than the one I used. > hardware keys should be added I don't own any, so I couldn't test that, maybe someone else could do that.

kerem commented

2026-03-02 16:00:38 +03:00

Author

Owner

@ner00 commented on GitHub (Jun 10, 2023):

@ririko5834 I'm fairly happy with https://github.com/prasathmani/tinyfilemanager/pull/1054, so I'm thinking that'd be it for now in relation to my contribution to 2FA auth implementation. It adds subtle functionality refinements over the initial implementation, mostly UI/UX stuff.

Again, this is regardless of approval or adoption by the author of the original repository.

@ner00 commented on GitHub (Jun 10, 2023): @ririko5834 I'm fairly happy with https://github.com/prasathmani/tinyfilemanager/pull/1054, so I'm thinking that'd be it for now in relation to my contribution to 2FA auth implementation. It adds subtle functionality refinements over the initial implementation, mostly UI/UX stuff. Again, this is regardless of approval or adoption by the author of the original repository.