starred/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2026-05-30 23:40:40 +02:00
Code Issues 1.0k Packages Projects Releases 10 Wiki Activity

about login security #35

New Issue
Closed
opened 2026-04-24 22:56:54 +02:00 by adam · 4 comments
adam commented 2026-04-24 22:56:54 +02:00
Owner
Copy Link
Copy Source

Originally created by @Hyperion923 on GitHub (Sep 29, 2021).

Please change the error message from "User not found" and "Invalid password" to "Invalid user or password" so that the users cannot be tested by bruteforce.
for example:

  async login(req, res) {
    var username = req.body.username
    var password = req.body.password || ''
    Logger.debug('Check Auth', username, !!password)

    var user = this.users.find(u => u.username === username)
    var compare = await bcrypt.compare(password, user.pash)

    if (!user) {
      return res.json({error: 'Invalid user or password'})
    } else if (!user.isActive && compare) {
      return res.json({error: 'User unavailable'})
    }

    // Check passwordless root user
    if (user.id === 'root' && (!user.pash || user.pash === '')) {
      if (password) {
        return res.json({ error: 'Invalid root password (hint: there is none)' })
      } else {
        return res.json({ user: user.toJSONForBrowser() })
      }
    }

    // Check password match
    if (compare) {
      res.json({
        user: user.toJSONForBrowser()
      })
    } else {
      res.json({
        error: 'Invalid user or password'
      })
    }
  }
Originally created by @Hyperion923 on GitHub (Sep 29, 2021). Please change the error message from "User not found" and "Invalid password" to "Invalid user or password" so that the users cannot be tested by bruteforce. for example: ``` javascript async login(req, res) { var username = req.body.username var password = req.body.password || '' Logger.debug('Check Auth', username, !!password) var user = this.users.find(u => u.username === username) var compare = await bcrypt.compare(password, user.pash) if (!user) { return res.json({error: 'Invalid user or password'}) } else if (!user.isActive && compare) { return res.json({error: 'User unavailable'}) } // Check passwordless root user if (user.id === 'root' && (!user.pash || user.pash === '')) { if (password) { return res.json({ error: 'Invalid root password (hint: there is none)' }) } else { return res.json({ user: user.toJSONForBrowser() }) } } // Check password match if (compare) { res.json({ user: user.toJSONForBrowser() }) } else { res.json({ error: 'Invalid user or password' }) } } ````
adam closed this issue 2026-04-24 22:56:54 +02:00
adam commented 2026-04-24 22:56:55 +02:00
Author
Owner
Copy Link
Copy Source

@advplyr commented on GitHub (Sep 29, 2021):

Good point. Do you think there should be any limit on attempts to login?

@advplyr commented on GitHub (Sep 29, 2021): Good point. Do you think there should be any limit on attempts to login?
adam commented 2026-04-24 22:56:55 +02:00
Author
Owner
Copy Link
Copy Source

@Hyperion923 commented on GitHub (Sep 29, 2021):

Yes it is a good Idea. Maybe you can add an option for the limit of attempts in the root option menu.

@Hyperion923 commented on GitHub (Sep 29, 2021): Yes it is a good Idea. Maybe you can add an option for the limit of attempts in the root option menu.
adam commented 2026-04-24 22:56:56 +02:00
Author
Owner
Copy Link
Copy Source

@Jdiesel87 commented on GitHub (Sep 29, 2021):

A lot of people who are serious about security on their self hosted server setups will use software like Fail2ban to monitor failed login attempts and issue an IP ban after a set number of failed attempts. It works by parsing the log files for instances of failed attempts. As long as the information is in the log files it can be setup.

I can't think of any other similar product in this genre that allows you to set a limit on login attempts. Not saying it is a bad idea but I am curious to why that is the case.

@Jdiesel87 commented on GitHub (Sep 29, 2021): A lot of people who are serious about security on their self hosted server setups will use software like Fail2ban to monitor failed login attempts and issue an IP ban after a set number of failed attempts. It works by parsing the log files for instances of failed attempts. As long as the information is in the log files it can be setup. I can't think of any other similar product in this genre that allows you to set a limit on login attempts. Not saying it is a bad idea but I am curious to why that is the case.
adam commented 2026-04-24 22:56:56 +02:00
Author
Owner
Copy Link
Copy Source

@advplyr commented on GitHub (Sep 29, 2021):

Just released v1.2.8.

Login rate limit & login rate limit window are options in server settings, but I haven't added them to config yet. I think the default is reasonable for now.

@advplyr commented on GitHub (Sep 29, 2021): Just released [`v1.2.8`](https://github.com/advplyr/audiobookshelf/releases/tag/v1.2.8). Login rate limit & login rate limit window are options in server settings, but I haven't added them to config yet. I think the default is reasonable for now.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
authentication
backlog
bug
chapter editor
config-issue
ebooks
encoding/embedding
enhancement
help wanted
listening sessions & progress
planned
possible plugin
progress sync
pull-request
Mirrored from GitHub Pull Request
 sorting/filtering/searching
unable to reproduce
upload
users & permissions
waiting
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam (Adam Melkus)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/audiobookshelf#35
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?