Add login lockout with ntfy alerts and update docs

- Lock accounts for 15 minutes after 5 consecutive failed login attempts - Send urgent ntfy notification when an account is locked - Send high-priority ntfy notification on login attempt against a locked account - Auto-reset lockout on expiry; reset counter on successful login - Add v2.4 migration for failed_login_attempts and locked_until columns - Add ALLOWED_ORIGINS and SECURE_COOKIES to .env.example - Update README: lockout row in security table, new ntfy events Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-23 23:11:30 -07:00
parent 7cd2dfb710
commit 2d3ad3a06c
5 changed files with 89 additions and 10 deletions
--- a/.env.example
+++ b/.env.example
@@ -19,6 +19,16 @@ ADMIN_PASSWORD=change_me
 #   openssl rand -hex 32
 JWT_SECRET=change_me

+# ── CORS ─────────────────────────────────────────────────────────────────────
+# Comma-separated list of external origins that may call the API.
+# Leave empty if the API is only accessed via the bundled nginx frontend (same-origin).
+# Example: ALLOWED_ORIGINS=https://myapp.example.com,https://admin.example.com
+ALLOWED_ORIGINS=
+
+# ── Cookies ───────────────────────────────────────────────────────────────────
+# Set to false only when testing locally over plain HTTP (no HTTPS/NRP)
+SECURE_COOKIES=true
+
 # ── Ntfy push notifications (optional) ───────────────────────────────────────
 # Sends alerts for: new registrations, admin logins, user disable/delete, impersonation.
 # Use https://ntfy.sh/your-secret-topic or a self-hosted ntfy URL.