Authentication Security with Login Attempt Limits #264
Description
Feature Suggestion
Feature Request: Enhanced Authentication Security with Login Attempt Limits and IP Blocking
Summary
Request to add built-in security features to the dashboard authentication system, including login attempt limits, temporary IP blocking, and enhanced security configurations.
Current Behavior
The current authentication system in Hummingbot Deploy provides basic username/password authentication using streamlit-authenticator with the following configuration:
- Simple enable/disable via
AUTH_SYSTEM_ENABLEDenvironment variable - Basic credentials stored in
credentials.yml - No protection against brute force attacks
- No login attempt monitoring or IP blocking capabilities
Proposed Enhancement
Add comprehensive security features to protect the dashboard from unauthorized access attempts:
Core Features:
-
Login Attempt Limiting
- Configurable maximum failed login attempts (default: 3)
- Progressive lockout periods (e.g., 5min, 15min, 1hour)
- Per-IP address tracking
-
IP Address Blocking
- Temporary IP blocking after exceeding failed attempts
- Configurable lockout duration
- Whitelist/blacklist IP management
-
Enhanced Security Configuration
- Content hiding for unauthenticated users
- Session timeout configuration
- Failed attempt logging and monitoring
Suggested Configuration Options:
cookie:
expiry_days: 1
key: "some_signature_key"
name: "some_cookie_name"
security:
max_failed_attempts: 3
lockout_duration: 3600
progressive_lockout: true
hide_content_when_unauthenticated: true
log_failed_attempts: true
credentials:
usernames:
admin:
email: "admin@example.com"
name: "Administrator"
password: "$2b$12$..."
preauthorized:
emails:
- "admin@example.com"Use Case & Motivation
- Security: Protect trading dashboards from brute force attacks
- Compliance: Meet security requirements for financial applications
- Production Readiness: Enable safe deployment in production environments
- Risk Management: Prevent unauthorized access to trading bot configurations and sensitive data
Benefits
- Enhanced security without breaking existing functionality
- Backward compatibility with current authentication setup
- Configurable security levels for different deployment scenarios
- Protection of sensitive trading data and bot configurations
Implementation Considerations
- Maintain compatibility with existing
streamlit-authenticatorintegration - Store security state persistently (database or file-based)
- Provide clear documentation for security configuration options
- Consider Docker container restart scenarios for persistent blocking
Priority
Medium-High - This feature significantly improves the security posture of production deployments while maintaining ease of use for development environments.
Impact
fear loss money
Additional context
No response