DeterministicESPAsyncWebServer v6.27.1
Zero-allocation, bounded-execution async HTTP server for ESP32
Loading...
Searching...
No Matches
auth_lockout.h File Reference

Per-peer brute-force lockout for HTTP auth (DETWS_ENABLE_AUTH_LOCKOUT). More...

#include "ServerConfig.h"

Go to the source code of this file.

Detailed Description

Per-peer brute-force lockout for HTTP auth (DETWS_ENABLE_AUTH_LOCKOUT).

Tracks consecutive failed authentications per source address in a fixed BSS table (no heap). The key is the full family-tagged address (DetIp), so an IPv4 and an IPv6 peer are always distinct buckets and no attacker can share or poison another address's state through a lossy hash collision. After DETWS_AUTH_LOCKOUT_THRESHOLD consecutive failures an address is locked out for DETWS_AUTH_LOCKOUT_BASE_MS, doubling on each further failure up to DETWS_AUTH_LOCKOUT_MAX_MS; a successful auth clears the address. Compiled only when DETWS_ENABLE_AUTH_LOCKOUT is set (the host unit tests enable it and drive it with a synthetic millisecond clock). An unspecified address (family DetIpFamily::DET_IP_NONE or all-zero) is untrackable and is never locked.

Author
Douglas Quigg (dstroy0)
Date
2026

Definition in file auth_lockout.h.