soulsync/core/security
BoulderBadgeDad 0d1e949798 Security: brute-force limiter on the launch-PIN unlock (Tier 2)
A publicly-exposed instance gated only by the launch PIN was brute-forceable. Added
a lenient in-memory failed-attempt limiter (core/security/rate_limit.py): 10 wrong
PINs from one IP within 5 min → 429 with Retry-After, failures age out on their own
(self-heal, no persistent lockout), and a CORRECT entry clears that IP instantly.

Wired into /api/profiles/verify-launch-pin. By design it can only ever trigger on a
flood of WRONG PINs — correct entry, a couple of typos, or a no-PIN install are
never affected, so normal use sees no change. Keyed per-IP so an attacker can't
lock out a legit user.

Tests: limiter is lenient under threshold, trips on a flood, success clears it,
failures self-heal, per-IP isolation; endpoint returns 429 after 10 wrong PINs with
Retry-After. 6 tests pass.
2026-06-10 20:47:46 -07:00
..
__init__.py Security: enforce the launch PIN server-side, not just a client overlay (#832) 2026-06-09 22:19:14 -07:00
launch_lock.py Fix: launch PIN re-triggered the first-run setup wizard every visit (#842) 2026-06-10 11:40:47 -07:00
rate_limit.py Security: brute-force limiter on the launch-PIN unlock (Tier 2) 2026-06-10 20:47:46 -07:00
reverse_proxy.py Security: opt-in reverse-proxy mode (ProxyFix + Secure cookie) + nginx guide 2026-06-10 20:36:49 -07:00