mirror of
https://github.com/AstrBotDevs/AstrBot
synced 2026-07-16 01:40:15 +08:00
* feat: add TOTP two-factor authentication for dashboard login * fix: ensure TOTP verification uses UTC for accurate time comparison * fix: update recovery code validation logic for disabling TOTP * test: add unit tests for TOTP functionality and recovery code validation * chore: format * feat: add trust_proxy_headers switch for auth rate-limit IP source * feat: make dashboard auth rate-limit configurable via system settings Add auth_rate_limit config block to dashboard settings with enable (default: true), average_interval (default: 1.0s), and max_burst (default: 3) options. The dashboard auth middleware now reads from config instead of using hardcoded values. The average_interval and max_burst fields are conditionally shown only when rate limiting is enabled. * fix: normalize dashboard client IP from trusted proxy headers * refactor: encapsulate rate limiter state into registry, add TTL * feat: show dynamic page title during two-factor verification * fix: require two-factor verification for protected config saves * chore: format * refactor: reorganize TOTP verification UI components for better layout * refactor: clean up recovery stage UI by removing unused styles and improving label handling * docs: add TOTP two-factor authentication documentation for WebUI --------- Co-authored-by: Soulter <905617992@qq.com>