This is a maintenance release with following improvements and fixes:
- [fix] Check the length of email in login form, preventing too long input
- [fix] Use user name instead of user ID in email content
- [fix] auth-token API also prevent brute force attack
- [fix] Fix invite people in multi-tenancy mode
- [fix] Add option SSO_LDAP_USE_SAME_UID
Any details about this? How is brute force prevented?
This API now also use config items FREEZE_USER_ON_LOGIN_FAILED and .LOGIN_ATTEMPT_LIMIT.
Wouldn’t this easily allow for malicious user DoS by trying a few incorrect passwords?
It depends on your own scenario. You can turn off these options (which is the default) and use the default a rate limit for the API call.