Suddenly today I’m not able to sign into Hexbear because it keeps telling me my 2FA code is incorrect. Nothing on my end has changed at all and my 2FA is done through BitWarden automatically. If I try more than 2 times to sign in it blocks me for over an hour from even attempting to sign in. I can’t figure out wtf email address I used to sign up so I can’t even reset the password. Halp! am @peeonyou on hexbear
Hi, thank you for reporting this issue! sorry it’s taken a bit to work its way to the relevant people. It should be working now, assuming you are not currently rate limited and you don’t require multiple retries to get the 2fa code right.
a little inside baseball
So the issue is, lemmy doesn’t have super granular controls on various API rate limits, there are only like 7 categories but there are many more API endpoints than that. For reasons I cannot fathom, the /login endpoint uses the same rate limit as the /register endpoint (for applying for a new account), which we keep pretty low to prevent registration spam, etc.
In addition, 2FA logins require 2 calls to /login, since the first one has to come back with a response telling the page to display the 2fa prompt, and then a second request is sent with the 2FA code.
Long story short, there was recently an attempted “raid” of the site by some trolls, and in preparation the /register rate limit was lowered further than normal, to only 1 per hour. This had the unintended effect of making 2FA logins impossible, and has now been increased. In future our devs may change the login rate limit to not track /register, but for now 2FA should be working again, though if you mis-type the code you may get rate-limited for an hour until a more permanent fix is in place.