security: implement user lockout (#1552)

* add data-types required for login security * implement user lockout checking at login * cleanup legacy patterns * expose passwords in test_user * test user lockout after bad attempts * test user service * bump alembic version * save increment to database * add locked_at to datetime transformer on import * do proper test cleanup * implement scheduled task * spelling * document env variables * implement context manager for session * use context manager * implement reset script * cleanup generator * run generator * implement API endpoint for resetting locked users * add button to reset all locked users * add info when account is locked * use ignore instead of expect-error
2025-07-25 08:09:41 +02:00 · 2022-08-13 13:18:12 -08:00 · 2022-08-13 13:18:12 -08:00 · b3c41a4bd0
commit b3c41a4bd0
parent ca64584fd1
35 changed files with 450 additions and 46 deletions
--- a/docs/docs/documentation/getting-started/installation/backend-config.md
+++ b/docs/docs/documentation/getting-started/installation/backend-config.md
@ -18,7 +18,12 @@
 | ALLOW_SIGNUP  |         true          | Allow user sign-up without token (should match frontend env)                        |


+### Security

+| Variables                   | Default | Description                                                                         |
+| --------------------------- | :-----: | ----------------------------------------------------------------------------------- |
+| SECURITY_MAX_LOGIN_ATTEMPTS |    5    | Maximum times a user can provide an invalid password before their account is locked |
+| SECURITY_USER_LOCKOUT_TIME  |   24    | Time in hours for how long a users account is locked                                |

 ### Database

@ -39,7 +44,7 @@
 | SMTP_HOST          |  None   | Required For email                                |
 | SMTP_PORT          |   587   | Required For email                                |
 | SMTP_FROM_NAME     | Mealie  | Required For email                                |
-| SMTP_AUTH_STRATEGY |  TLS    | Required For email, Options: 'TLS', 'SSL', 'NONE' |
+| SMTP_AUTH_STRATEGY |   TLS   | Required For email, Options: 'TLS', 'SSL', 'NONE' |
 | SMTP_FROM_EMAIL    |  None   | Required For email                                |
 | SMTP_USER          |  None   | Required if SMTP_AUTH_STRATEGY is 'TLS' or 'SSL'  |
 | SMTP_PASSWORD      |  None   | Required if SMTP_AUTH_STRATEGY is 'TLS' or 'SSL'  |