Feature Suggestion
Feature Request: Enhanced Authentication Security with Login Attempt Limits and IP Blocking
Summary
Request to add built-in security features to the dashboard authentication system, including login attempt limits, temporary IP blocking, and enhanced security configurations.
Current Behavior
The current authentication system in Hummingbot Deploy provides basic username/password authentication using streamlit-authenticator with the following configuration:
- Simple enable/disable via
AUTH_SYSTEM_ENABLED environment variable
- Basic credentials stored in
credentials.yml
- No protection against brute force attacks
- No login attempt monitoring or IP blocking capabilities
Proposed Enhancement
Add comprehensive security features to protect the dashboard from unauthorized access attempts:
Core Features:
-
Login Attempt Limiting
- Configurable maximum failed login attempts (default: 3)
- Progressive lockout periods (e.g., 5min, 15min, 1hour)
- Per-IP address tracking
-
IP Address Blocking
- Temporary IP blocking after exceeding failed attempts
- Configurable lockout duration
- Whitelist/blacklist IP management
-
Enhanced Security Configuration
- Content hiding for unauthenticated users
- Session timeout configuration
- Failed attempt logging and monitoring
Suggested Configuration Options:
cookie:
expiry_days: 1
key: "some_signature_key"
name: "some_cookie_name"
security:
max_failed_attempts: 3
lockout_duration: 3600
progressive_lockout: true
hide_content_when_unauthenticated: true
log_failed_attempts: true
credentials:
usernames:
admin:
email: "admin@example.com"
name: "Administrator"
password: "$2b$12$..."
preauthorized:
emails:
- "admin@example.com"Use Case & Motivation
- Security: Protect trading dashboards from brute force attacks
- Compliance: Meet security requirements for financial applications
- Production Readiness: Enable safe deployment in production environments
- Risk Management: Prevent unauthorized access to trading bot configurations and sensitive data
Benefits
- Enhanced security without breaking existing functionality
- Backward compatibility with current authentication setup
- Configurable security levels for different deployment scenarios
- Protection of sensitive trading data and bot configurations
Implementation Considerations
- Maintain compatibility with existing
streamlit-authenticator integration
- Store security state persistently (database or file-based)
- Provide clear documentation for security configuration options
- Consider Docker container restart scenarios for persistent blocking
Priority
Medium-High - This feature significantly improves the security posture of production deployments while maintaining ease of use for development environments.
Impact
fear loss money
Additional context
No response
Feature Suggestion
Feature Request: Enhanced Authentication Security with Login Attempt Limits and IP Blocking
Summary
Request to add built-in security features to the dashboard authentication system, including login attempt limits, temporary IP blocking, and enhanced security configurations.
Current Behavior
The current authentication system in Hummingbot Deploy provides basic username/password authentication using
streamlit-authenticatorwith the following configuration:AUTH_SYSTEM_ENABLEDenvironment variablecredentials.ymlProposed Enhancement
Add comprehensive security features to protect the dashboard from unauthorized access attempts:
Core Features:
Login Attempt Limiting
IP Address Blocking
Enhanced Security Configuration
Suggested Configuration Options:
Use Case & Motivation
Benefits
Implementation Considerations
streamlit-authenticatorintegrationPriority
Medium-High - This feature significantly improves the security posture of production deployments while maintaining ease of use for development environments.
Impact
fear loss money
Additional context
No response