Calisanim sifre tahmin saldirisi altinda — pw_failures tablo + staff password lockout (PR #548 PP H4)

Kutahya Merkez Ataturk Bulvari 41-yas Kutahya Lokumu + Cini Kafe 35-cover 13-yil Ali thMenu Pro 14 ay. Pazartesi 09:15 dashboard turuncu banner Son 24 saatte 5847 basarisiz password girisimi tespit edildi 5 kisilik staff hicbiri 5847 deneme yapacak kadar sifre unutmaz. Audit log Ali admin email 47 farkli /24 subnet IP botnet brute-force tek hedef Ali admin email IP-rate-limit bypass. Ali sifre 16 char password manager saldirgan basarisiz ama 5847 deneme/24h devam. Support yazdi per-account lockout var mi hesabimi kilitlemeyin saldirganin denemeye devam edememesini istiyorum. Engineering reproduce 5847×47/24h = 124/IP Worker IP-rate-limit 10/5dk altinda 47 IP yaymak rate-limit hic tetiklenmiyor botnet operasyonu. 3 yanlis teori (1) IP-rate-limit sikilastir 10→5 legitimate user problem ayrica botnet pool 47→100 IP 2-3 attempt/5dk hala bypass anti-pattern; (2) CAPTCHA legitimate UX bozar CAPTCHA-solving service $1/1000 sofistike saldirgan durdurmaz; (3) login IP-allowlist multi-location operator mantiksiz Ali mobil + 2 sube tablet + home WiFi maintenance overhead. Dogru pattern per-account lockout PIN endpoint zaten shipped PR #336 + D1_OPS 0062 pin_failures aynı pattern password icin gerekli ama tablo eksikti lockout shipped degildi. Adli analiz apps/web-admin/src/app/api/staff/route.ts PIN flow PR #336 sonrasi (1) email + restaurant_id pin_failures SELECT window_start > now-30min; (2) attempts >= 10 429 account_locked_30min IP rotation isin yaramiyor (restaurant_id, email_lc) tuple; (3) PIN verify basarili delete basarisiz atomik UPSERT attempts+=1 veya 1 window>30min reset. Password endpoint icin AYNI flow YOKTU sadece Cloudflare Worker IP-rate-limit pw_failures tablosu yok. 90-gun audit 23 restaurant brute-force pattern 30-50 IP /24 subnet 100-200 attempt/IP. Ali agresif 47 IP 124/IP. PR #548 batch PP H4 3-katmanli fix Layer 1 D1_OPS migration 0076 pw_failures schema pin_failures mirror restaurant_id + email_lc + window_start + attempts + last_attempt PK + idx_pw_failures_window remote applied. Layer 2 apps/web-admin/src/app/api/staff/route.ts password lockout helper PIN ile aynı pattern (1) SELECT attempts; (2) >= 10 429 account_locked_30min i18n; (3) atomik UPSERT 30dk sliding window; (4) successful DELETE. Layer 3 CLAUDE.md doc + sibling sweep PIN + PW symmetric future auth surface zorlanmis. Production audit 23 affected restaurant personal outreach 22 + Ali pw_failures lockout aktif legitimate giris 1-3 attempt lockout etkilemez. Deploy 7-day brute-force %93 dustu botnet operator terketti lockout sonrasi sayac sifirlanmadigi icin 30dk lock duvarina carpiyor 0 breach. Ali Hall of Fame + 3-month Pro credit Twitter 1.1k. Tom Newcastle Quayside Newcastle Brown Ale House 55-cover Sunday roast + Brown Ale 14-yil 6200 attempt 60 IP paralel disclosure 3-month Pro credit. Pattern authentication endpoint PIN password magic-link OAuth IP-rate-limit YANINDA per-account lockout botnet IP-rotation IP-rate-limit bypass per-account bypass'lanamaz single target email. Sibling sweep PIN PR #336 + Password PR #548 PP H4 + magic-link PR #335 + OAuth-PKCE PR #526 HH + affiliate OTP PR #646 VI F3. Implementation auth endpoint identify + D1 _failures tablo create + atomik UPSERT 30dk window + successful DELETE + lockout threshold + i18n locale-aware message + PR template checkbox + quarterly audit + brute-force pattern detect 5000+/24h alarm. PR #548 referans.

İlgili makaleler