[PR #7707] [MERGED] fix: only count failed attempts against auth rate limit #97235

Closed
opened 2026-05-26 14:03:45 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/actualbudget/actual/pull/7707
Author: @danielhopkins
Created: 5/4/2026
Status: Merged
Merged: 5/4/2026
Merged by: @matt-fidd

Base: masterHead: fix/auth-rate-limit-skip-successful


📝 Commits (3)

  • d499451 fix: only count failed attempts against auth rate limit
  • 9808729 Update upcoming-release-notes/7706.md
  • fd1af9b fix: rename release note to match PR number

📊 Changes

2 files changed (+7 additions, -0 deletions)

View changed files

📝 packages/sync-server/src/app-account.js (+1 -0)
upcoming-release-notes/7707.md (+6 -0)

📄 Description

Description

Adds skipSuccessfulRequests: true to authRateLimiter in app-account.js.

With this change, only failed login attempts consume rate limit quota. Successful logins (correct password) do not count. This preserves full brute-force protection — attackers generating repeated failures still hit the wall — while fixing breakage for legitimate API clients that re-authenticate per operation.

Fixes #7706

Testing

Existing unit tests cover the rate-limiting behaviour. The authRateLimiter.resetKey pattern in the test suite is compatible with this change — successful requests simply won't increment the counter.

Checklist

  • Release notes added
  • No obvious regressions in affected areas
  • Self-review has been performed - I understand what each change in the code does and why it is needed

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/actualbudget/actual/pull/7707 **Author:** [@danielhopkins](https://github.com/danielhopkins) **Created:** 5/4/2026 **Status:** ✅ Merged **Merged:** 5/4/2026 **Merged by:** [@matt-fidd](https://github.com/matt-fidd) **Base:** `master` ← **Head:** `fix/auth-rate-limit-skip-successful` --- ### 📝 Commits (3) - [`d499451`](https://github.com/actualbudget/actual/commit/d49945145b681709e5bd369e6038910da7a2358a) fix: only count failed attempts against auth rate limit - [`9808729`](https://github.com/actualbudget/actual/commit/9808729326048605aa048b833e0b6674b2b5a98a) Update upcoming-release-notes/7706.md - [`fd1af9b`](https://github.com/actualbudget/actual/commit/fd1af9b3336e8312dd36a46856a760a493b5051b) fix: rename release note to match PR number ### 📊 Changes **2 files changed** (+7 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `packages/sync-server/src/app-account.js` (+1 -0) ➕ `upcoming-release-notes/7707.md` (+6 -0) </details> ### 📄 Description ## Description Adds `skipSuccessfulRequests: true` to `authRateLimiter` in `app-account.js`. With this change, only **failed** login attempts consume rate limit quota. Successful logins (correct password) do not count. This preserves full brute-force protection — attackers generating repeated failures still hit the wall — while fixing breakage for legitimate API clients that re-authenticate per operation. ## Related issue(s) Fixes #7706 ## Testing Existing unit tests cover the rate-limiting behaviour. The `authRateLimiter.resetKey` pattern in the test suite is compatible with this change — successful requests simply won't increment the counter. ## Checklist - [x] Release notes added - [x] No obvious regressions in affected areas - [x] Self-review has been performed - I understand what each change in the code does and why it is needed --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-26 14:03:45 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/actual#97235