When using the Android app, and possibly other non-browser clients, the POST URL used to authorize a login is /api2/auth-token/ versus the web browser that uses /accounts/login/
The problem is that the /api2/auth-token/ URL does not trigger failed login attempts. I have the failed login attempts set to 5, and using a browser, it works exactly as expected and the account is marked Inactive after 5 failed attempts. I was able to submit 20+ consecutive failed login attempts from the Android app and it did not lock the account, which completely defeats the purpose of that feature, since anyone could just launch unlimited auth attempts against that API.
In addition to the above, if I locked the account by exceeding the login attempts in the browser, and go back to the Android app /api2/auth-token/ URL, another security problem is presented. When the account is Inactive and I submit a wrong password, the API responds with “Unable to login with provided credentials.”, but if I submitted the correct password, the API responds with “User account is disabled.”. That means even on an account marked Inactive, someone could continue submitted auth requests against the URL and determine whether or not the correct password was guessed.
Even though it’s an issue specifically I noticed with the Android app, it really applies to all of Seafile across the board, which negates having the failed login attempts feature. Any chance on a quick fix for this?