Rate Limiting and Account Locking
Odeion ships two layers of login protection: automatic rate limiting of failed attempts, and manual per-account locking.
Login Rate Limiting
Section titled “Login Rate Limiting”Failed login attempts are counted in a fixed window, tracked independently per client IP and per username:
| Parameter | Value |
|---|---|
| Failure budget | 10 failures per key |
| Window | 15 minutes |
| Keys | client IP and username, independently |
Once a key exceeds its budget, further attempts are refused until the window expires, and the response says how long to wait. A successful login clears the username’s counter (so users are not punished for their own typos) but not the IP’s counter, so a host that guessed one account does not get a clean slate against others.
Notes:
- Only failures count; successful logins do not consume budget.
- Invite code redemption is throttled per IP the same way.
- Counters are in-memory and reset when the server restarts.
- The limits are fixed and not currently configurable.
Account Locking
Section titled “Account Locking”Admins can lock any account from Admin > Users. A locked account:
- Cannot sign in with a password, OAuth, or a device link code.
- Cannot use its existing sessions; requests fail until unlocked.
- Cannot use its API keys.
Locking does not delete anything. Existing sessions resume working when the account is unlocked.
Unlocking
Section titled “Unlocking”| Method | Where | Notes |
|---|---|---|
| Admin unlock | Admin > Users | The normal path. |
| CLI reset | odeion reset-password <username> on the server host | Clears the lock and issues a reset link in one step. The escape hatch when the locked account is the only admin. |
A reset link generated from the admin UI does not clear the lock; see Password Reset.
Server-Wide Switches
Section titled “Server-Wide Switches”Two kill switches act as emergency brakes: Login refuses all new logins (existing sessions keep working), and OAuth disables provider logins specifically. Both take effect immediately.