Livio Spring d3713dfaed fix: respect lockout policy on password change (with old password) and add tar pit for checks ...

# Which Problems Are Solved

While the lockout policy was correctly applied on the session API and other authentication and management endpoints , it had no effect on the user service v2 endpoints.

# How the Problems Are Solved

- Correctly apply lockout policy on the user service v2 endpoints.
- Added tar pitting to auth factor checks (authentication and management API) to prevent brute-force attacks or denial of service because of user lockouts.
- Tar pitting is not active if `IgnoreUnknownUsername` option is active to prevent leaking information whether a user exists or not.

# Additional Changes

None

# Additional Context

- requires backports

* cleanup

(cherry picked from commit b8db8cdf9c)

2025-10-29 10:10:36 +01:00

..

admin

chore: test server for direct resource access

2023-04-24 20:40:31 +03:00

build

fix(cache): use key versioning (#10657)

2025-09-16 07:19:12 +02:00

encryption

feat: action v2 signing (#8779)

2024-11-28 10:06:52 +00:00

hooks

feat: support whole config as env (#6336)

2024-02-16 16:04:42 +00:00

initialise

chore!: Introduce ZITADEL v3 (#9645)

2025-04-02 16:53:06 +02:00

key

chore!: Introduce ZITADEL v3 (#9645)

2025-04-02 16:53:06 +02:00

mirror

feat: http provider signing key addition (#10641)

2025-09-15 08:26:41 +02:00

ready

feat(v3alpha): web key resource (#8262)

2024-08-14 14:18:14 +00:00

setup

chore: rehaul DevX (#10571)

2025-10-09 16:53:19 +02:00

start

feat(api): move instance service to v2 (#10919)

2025-10-28 15:10:54 +01:00

tls

fix: enable env vars in setup steps (and deprecate admin subcommand) (#3871)

2022-06-27 10:32:34 +00:00

defaults.yaml

fix: respect lockout policy on password change (with old password) and add tar pit for checks

2025-10-29 10:10:36 +01:00

zitadel.go

fix(mirror): read config correctly (#8330)

2024-07-18 14:00:58 +00:00