My employee was under a password brute-force attack — pw_failures + staff lockout (PR #548 PP H4)

Tom Newcastle Quayside 39-yo 14-yr Newcastle Brown Ale House 55-cover traditional British pub Sunday roast + Newcastle Brown Ale tap + house-cured pork pies thMenu Pro 16 months. Monday 09:15 admin panel amber security banner 6200 failed password attempts past 24 hours review team staff of 6 not capable 6200 attempts. Audit log every attempt same staff email tom@brownalehouse.uk 60 distinct /24 subnets botnet brute-force single target Tom admin email distributed IP pool bypassing IP-based rate limit. Tom password strong 16 chars password manager attacker failed 6200 attempts continuing eventual success or rate-limit bypass. Support email 6200 attempts 60 IPs brute-force attack does thMenu have per-account lockout. Engineering reproduce 6200×60/24h ~103/IP ~4/hour under Worker IP-rate-limit 10/5min never triggered botnet. 3 wrong theories (1) tighten IP-rate-limit 10→5/5min legitimate users pain 5 wrong attempts locked tight attacker scales botnet 60→100 2-3 attempts/5min under threshold anti-pattern; (2) CAPTCHA hurts legitimate UX every login CAPTCHA-solving services $1/1000 solves doesn't stop determined; (3) IP-allowlist multi-location senseless Tom phone + 2 location tablets + home WiFi maintenance overhead. Correct pattern per-account lockout PIN already shipped PR #336 + D1_OPS 0062 pin_failures same pattern password but table didn't exist lockout not shipped. Forensic apps/web-admin/src/app/api/staff/route.ts PIN flow after PR #336 (1) email + restaurant_id pull pin_failures D1 query SELECT window_start > now-30min; (2) attempts >= 10 429 account_locked_30min IP rotation doesn't help (restaurant_id, email_lc) tuple key; (3) successful PIN verify delete pin_failures atomic UPSERT attempts+=1 or 1 if window>30min. Same flow password endpoint WASN'T THERE only Cloudflare Worker IP-rate-limit pw_failures table didn't exist. 90-day audit deepened 23 restaurants same pattern 30-50 IPs /24 subnets 100-200 attempts per IP Tom upper end 60 IPs 103/IP. PR #548 batch PP H4 3-layer fix Layer 1 D1_OPS migration 0076 pw_failures table schema pin_failures mirror restaurant_id + email_lc + window_start + attempts + last_attempt PK + idx_pw_failures_window remote applied. Layer 2 password lockout helper apps/web-admin/src/app/api/staff/route.ts PIN flow mirror (1) SELECT attempts; (2) >= 10 429 account_locked_30min i18n locale-aware; (3) atomic UPSERT 30-min sliding window; (4) successful password verify DELETE. Layer 3 CLAUDE.md doc + sibling sweep PIN lockout PR #336 + PW lockout PR #548 PP H4 symmetric future staff auth surface forced apply pattern docs + PR template checkbox. Production audit 23 affected restaurants personal outreach pw_failures lockout active password manager 1-3 attempts lockout doesn't affect. Post-deploy 7-day brute-force attempts dropped 93% botnet operators abandoned lockout resets aggression 0 successful breaches. Tom Hall of Fame + 3-month Pro tier credit Twitter 2.3k Newcastle small restaurants protection. Ali Kutahya Merkez Ataturk Bulvari Kutahya Lokumu + Cini Kafe 35-cover Turkish-delight + Turkish-coffee + tile-craft 13-yr 5847 attempts 47 IPs aggressive parallel disclosure same fix + 3-month Pro credit + Hall of Fame. Pattern authentication endpoints PIN password magic-link OAuth must enforce per-account lockout ALONGSIDE IP rate-limit botnet IP rotation bypasses IP rate-limit per-account lockout can't bypassed keyed off single target email. Sibling sweep PIN PR #336 + PW PR #548 PP H4 + magic-link PR #335 + customer_email_links TTL + send-magic-link PR #626 GGG F5 Gmail-alias normalize + OAuth-PKCE PR #526 HH atomic rotation + affiliate OTP PR #646 VI F3 atomic TOCTOU. Implementation auth endpoint identify + D1 _failures table create + atomic UPSERT sliding 30-min window + successful auth DELETE + lockout threshold PIN 10 password 10 magic-link 5 sends/15min + i18n locale-aware message + PR template checkbox + quarterly auth-surface audit + brute-force pattern detect 5000+/24h alarm. PR #548 reference.

Related articles