Merge pull request #16998 from misskey-dev/develop

Release: 2025.12.2
author: misskey-release-bot[bot] <157398866+misskey-release-bot[bot]@users.noreply.github.com> 2025-12-22 05:30:45 +0000
committer: GitHub <noreply@github.com> 2025-12-22 05:30:45 +0000
commit: 0d46089f9a18abbb001fee2860dfaabf881831b3 (patch)
tree: 8315f33781b790084279680d05ea521f47fe1219 /packages/backend/src/server/api/SigninWithPasskeyApiService.ts
parent: Merge pull request #16972 from misskey-dev/develop (diff)
parent: Release: 2025.12.2 (diff)
download: misskey-0d46089f9a18abbb001fee2860dfaabf881831b3.tar.gz
misskey-0d46089f9a18abbb001fee2860dfaabf881831b3.tar.bz2
misskey-0d46089f9a18abbb001fee2860dfaabf881831b3.zip
1 files changed, 17 insertions, 11 deletions
diff --git a/packages/backend/src/server/api/SigninWithPasskeyApiService.ts b/packages/backend/src/server/api/SigninWithPasskeyApiService.ts
index 9ba23c54e2..920f9d0b3a 100644
--- a/packages/backend/src/server/api/SigninWithPasskeyApiService.ts
+++ b/packages/backend/src/server/api/SigninWithPasskeyApiService.ts
@@ -84,19 +84,25 @@ export class SigninWithPasskeyApiService {
 			return error(status ?? 500, failure ?? { id: '4e30e80c-e338-45a0-8c8f-44455efa3b76' });
 		};
 
-		try {
+		if (this.config.enableIpRateLimit) {
+			if (process.env.NODE_ENV === 'production' && (request.ip === '::1' || request.ip === '127.0.0.1')) {
+				this.logger.warn('Recieved signin with passkey request from localhost IP address for rate limiting in production environment. This is likely due to an improper trustProxy setting in the config file.');
+			}
+
+			try {
 			// Not more than 1 API call per 250ms and not more than 100 attempts per 30min
 			// NOTE: 1 Sign-in require 2 API calls
-			await this.rateLimiterService.limit({ key: 'signin-with-passkey', duration: 60 * 30 * 1000, max: 200, minInterval: 250 }, getIpHash(request.ip));
-		} catch (err) {
-			reply.code(429);
-			return {
-				error: {
-					message: 'Too many failed attempts to sign in. Try again later.',
-					code: 'TOO_MANY_AUTHENTICATION_FAILURES',
-					id: '22d05606-fbcf-421a-a2db-b32610dcfd1b',
-				},
-			};
+				await this.rateLimiterService.limit({ key: 'signin-with-passkey', duration: 60 * 30 * 1000, max: 200, minInterval: 250 }, getIpHash(request.ip));
+			} catch (err) {
+				reply.code(429);
+				return {
+					error: {
+						message: 'Too many failed attempts to sign in. Try again later.',
+						code: 'TOO_MANY_AUTHENTICATION_FAILURES',
+						id: '22d05606-fbcf-421a-a2db-b32610dcfd1b',
+					},
+				};
+			}
 		}
 
 		// Initiate Passkey Auth challenge with context
author	misskey-release-bot[bot] <157398866+misskey-release-bot[bot]@users.noreply.github.com>	2025-12-22 05:30:45 +0000
committer	GitHub <noreply@github.com>	2025-12-22 05:30:45 +0000
commit	0d46089f9a18abbb001fee2860dfaabf881831b3 (patch)
tree	8315f33781b790084279680d05ea521f47fe1219 /packages/backend/src/server/api/SigninWithPasskeyApiService.ts
parent	Merge pull request #16972 from misskey-dev/develop (diff)
parent	Release: 2025.12.2 (diff)
download	misskey-0d46089f9a18abbb001fee2860dfaabf881831b3.tar.gz misskey-0d46089f9a18abbb001fee2860dfaabf881831b3.tar.bz2 misskey-0d46089f9a18abbb001fee2860dfaabf881831b3.zip