88832d1af2
The countRecentFailedAttempts() function was requiring BOTH email AND ip_address to match, which caused failed attempts from different IPs to not count together. This prevented account lockout from working properly. Changed to count failed attempts by email only. IP address is still recorded for audit purposes but doesn't affect the failed attempt count. This ensures: - Failed attempts accumulate correctly regardless of IP changes - Accounts lock after 5 failed attempts within 15 minutes - Prevents attackers from bypassing by changing IP
80 KiB
80 KiB