Closed J-Stuff closed 1 year ago
If you have a sufficiently long enough admin password a brute force attack is a no longer an issue. I personally use a 20+character long admin password stored in a password manager.
I always like to link this to people who bring up brute force attacks... https://xkcd.com/936/
If somebody wants to PR reCaptcha support then be my guest and I'll consider merging it if I think the implementation is decent. I don't use Cloudflare so I'm not going to spend time tinkering with support for their services which I do not use.
This isn't something that I believe to be an issue. Fireshare is meant to be a simple self hosted solution, not something that is likely to be targeted by a large hacker network. It probably shouldn't be used as a businesses front-end for their media.
However, Fireshare has a single login which is for the administrator. This is not a user login and not designed to be shared and used by multiple people (even though you technically can).
I should mention that I don't mean to come off as simply tossing your suggestion to the side. I just have to pick and choose from a large pile of suggestions what I want to spend my time working on. I'm not paid to work on this project so I pretty much only add things that I personally get use out of when I have the time... which lately has been seldom.
But it is open source, specifically because I would love people to help me improve the application.
Currently, the login page is not ratelimited. Allowing for a Brute-force login attack. My suggestion would be to ratelimit the login endpoint and/or add support for Cloudflare Turnstile or reCAPTCHA on the login page