Harden auth login against brute-force and refresh security docs

2026-03-01 18:24:26 -03:00
parent 9cbbd80f47
commit 4c27fd6483
12 changed files with 715 additions and 3 deletions
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -8,6 +8,10 @@ AUTH_BOOTSTRAP_ADMIN_USERNAME=admin
 AUTH_BOOTSTRAP_ADMIN_PASSWORD=replace-with-random-admin-password
 AUTH_BOOTSTRAP_USER_USERNAME=user
 AUTH_BOOTSTRAP_USER_PASSWORD=replace-with-random-user-password
+AUTH_LOGIN_FAILURE_LIMIT=5
+AUTH_LOGIN_FAILURE_WINDOW_SECONDS=900
+AUTH_LOGIN_LOCKOUT_BASE_SECONDS=30
+AUTH_LOGIN_LOCKOUT_MAX_SECONDS=900
 APP_SETTINGS_ENCRYPTION_KEY=replace-with-random-settings-encryption-key
 PROCESSING_LOG_STORE_MODEL_IO_TEXT=false
 PROCESSING_LOG_STORE_PAYLOAD_TEXT=false