dify Persistent "Too many incorrect password attempts" lockout even after resetting credentials

Self Checks

[X] This is only for bug report, if you would like to ask a question, please head to Discussions.
[X] I have searched for existing issues search for existing issues, including closed ones.
[X] I confirm that I am using English to submit this report (我已阅读并同意 Language Policy).
[X] [FOR CHINESE USERS] 请务必使用英文提交 Issue，否则会被关闭。谢谢！:）
[X] Please do not modify this template :) and fill in all the required fields.

Dify version

0.12.1

Cloud or Self Hosted

Self Hosted (Docker)

Steps to reproduce

Enter an incorrect password multiple times during login.
The error message "Too many incorrect password attempts. Please try again later." is displayed.
Use the Flask commands reset-email and reset-password to attempt to reset credentials.
After resetting, try logging in again.
The same "Too many incorrect password attempts" error message still appears, and you cannot log in.

✔️ Expected Behavior

After performing the reset actions (using reset-email and reset-password), the lockout should be cleared, allowing successful login without encountering the "Too many incorrect password attempts" error message.

❌ Actual Behavior

Even after performing the reset actions, the lockout persists indefinitely. The "Too many incorrect password attempts" message still appears, and the account cannot be accessed.

Additional Information A similar issue has been reported in this discussion.

Dec 17 '24 14:12 skikkh

@skikkh Hello there! I'm here to help you with any bugs, questions, or contributions. Let's work together to solve this issue while we wait for a human maintainer.

I found a similar unsolved discussion related to your issue: General Discussion ^[1].

Regarding the lockout mechanism in Dify, the account lockout after too many incorrect password attempts is managed by a rate limit system. The AccountService class handles this by incrementing a counter in Redis for each failed login attempt. If the number of failed attempts exceeds the LOGIN_MAX_ERROR_LIMITS, the account is locked out for a duration specified by LOGIN_LOCKOUT_DURATION, which is set to 24 hours (86400 seconds) ^[2]^[3].

The reset-password and reset-email functionalities are implemented as command-line commands. They update the account's credentials in the database but do not automatically reset the login error rate limit. To clear the lockout, you should ensure that the reset_login_error_rate_limit method is called after resetting the credentials. This method deletes the Redis key associated with the login error count, effectively lifting the lockout ^[4]^[2].

If the lockout persists even after resetting credentials, it might be due to the login error rate limit not being reset. You may need to manually invoke the reset_login_error_rate_limit method for the affected account.

To continue talking to Dosu, mention @dosu.

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}