Login Guard

Protection against repeated login attempts.

● ● ●

use runique::prelude::*;
use std::sync::Arc;

// In main() or in the routes module
let guard = Arc::new(
    LoginGuard::new()
        .max_attempts(5)    // attempts before lockout
        .lockout_secs(300), // 5-minute lockout
);

// Clean up expired entries regularly
guard.spawn_cleanup(tokio::time::Duration::from_secs(60));

pub async fn login(
    mut request: Request,
    Prisme(form): Prisme<LoginForm>,
    State(guard): State<Arc<LoginGuard>>,
) -> AppResult<Response> {
    let username = form.get_string("username");
    let ip       = request.client_ip().unwrap_or_default();

    // Key by username if filled, otherwise by IP
    if guard.is_locked_for(&username, &ip) {
        let secs = guard.retry_after_secs_for(&username, &ip);
        warning!(request.notices => format!("Account locked. Try again in {secs}s."));
        return request.render("auth/login.html");
    }

    if request.is_post() && form.is_valid().await {
        match authenticate(&username, &password, &db).await {
            Some(user) => {
                guard.record_success_for(&username, &ip);
                auth_login(&request.session, &db, user.id).await;
                return Ok(Redirect::to("/profile").into_response());
            }
            None => {
                guard.record_failure_for(&username, &ip);
                error!(request.notices => "Incorrect credentials.");
            }
        }
    }
    request.render("auth/login.html")
}

Home