Ten wrong passwords from the same (username, client-IP) tuple within
15 minutes now return 429 with Retry-After for the next 15 minutes;
authenticate() isn't even called while locked, so the 429 response is
identical whether the password would have been correct — no oracle.
Tuple keying prevents an attacker from one IP from locking the real
admin out of their own box: a different IP (or an ISP reconnect) keeps
them in. The client IP comes from the rightmost X-Forwarded-For entry,
which is what Caddy appends and thus trustworthy (no upstream proxy in
front of Caddy). First-run setup bypasses the lockout — otherwise a
clumsy operator could lock themselves out before an admin exists.
State is in-memory (parallel to SessionStore), so `systemctl restart
furtka` clears a stuck lockout.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Daniel Maksymilian Syrnicki
1cff22658b