Suddenly today I’m not able to sign into Hexbear because it keeps telling me my 2FA code is incorrect. Nothing on my end has changed at all and my 2FA is done through BitWarden automatically. If I try more than 2 times to sign in it blocks me for over an hour from even attempting to sign in. I can’t figure out wtf email address I used to sign up so I can’t even reset the password. Halp! am @peeonyou on hexbear

  • BoarAvoir [they/them]@hexbear.netEnglish
    2·
    5 hours ago

    Hi, thank you for reporting this issue! sorry it’s taken a bit to work its way to the relevant people. It should be working now, assuming you are not currently rate limited and you don’t require multiple retries to get the 2fa code right.

    a little inside baseball

    So the issue is, lemmy doesn’t have super granular controls on various API rate limits, there are only like 7 categories but there are many more API endpoints than that. For reasons I cannot fathom, the /login endpoint uses the same rate limit as the /register endpoint (for applying for a new account), which we keep pretty low to prevent registration spam, etc.

    In addition, 2FA logins require 2 calls to /login, since the first one has to come back with a response telling the page to display the 2fa prompt, and then a second request is sent with the 2FA code.

    Long story short, there was recently an attempted “raid” of the site by some trolls, and in preparation the /register rate limit was lowered further than normal, to only 1 per hour. This had the unintended effect of making 2FA logins impossible, and has now been increased. In future our devs may change the login rate limit to not track /register, but for now 2FA should be working again, though if you mis-type the code you may get rate-limited for an hour until a more permanent fix is in place.

  • PeeOnYou [he/him]@lemmygrad.mlOPEnglish
    1·
    14 hours ago

    Hexbear really needs to have a way to reach the site admins without logging in… i still can’t login and I can’t seem to reach anyone who could do anything about it either.

    • Chronicon [they/them]@hexbear.netEnglish
      1·
      6 hours ago

      matrix should work. Or since you’re logged in to a lemmy account now you could ping some admins in a comment or DM them.

      They used to have emails listed I thought but now can’t find any, and really that might be for the best for opsec. It’s somewhat annoying that matrix accounts linked in user profiles don’t show up when the viewer isn’t lgged in though.

      https://matrix.to/#/@carc0sa:chapo.chat is seemingly the most active admin

      I’m also having 2fa issues on an alt.