- Lock accounts for 15 minutes after 5 consecutive failed login attempts
- Send urgent ntfy notification when an account is locked
- Send high-priority ntfy notification on login attempt against a locked account
- Auto-reset lockout on expiry; reset counter on successful login
- Add v2.4 migration for failed_login_attempts and locked_until columns
- Add ALLOWED_ORIGINS and SECURE_COOKIES to .env.example
- Update README: lockout row in security table, new ntfy events
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sends alerts on admin login, new registrations, user disable/delete, and
impersonation. NTFY_URL and NTFY_TOKEN are optional — leave blank to disable.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- models.py: add UniqueConstraint(user_id, date) to flock_history so
duplicate flock entries for the same day are rejected at the DB level
- main.py: v2.3 migration applies the new unique constraint to existing
installs at startup
- login.html: update register form minlength and placeholder from 6 to 10
characters to match backend; add specific 429 error message so rate-
limited users see "Too many attempts — please wait a minute" instead of
a generic failure
- auth.js: update settings modal password input minlength from 6 to 10
- summary.js: fix CSV export truncation — pass limit=10000 so users with
more than 500 days of data get a complete export; read chart border color
from --green CSS variable instead of hardcoded hex
- All HTML files: bump JS version params to ?v=4 so browsers discard
cached copies of files changed across recent sessions (api.js, auth.js,
dashboard.js, history.js, log.js, flock.js, budget.js, summary.js,
admin.js)
- .env.example: add password strength guidance for MySQL and admin vars
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
