feat: make dashboard auth rate-limit configurable via system settings

Add auth_rate_limit config block to dashboard settings with enable
(default: true), average_interval (default: 1.0s), and max_burst
(default: 3) options. The dashboard auth middleware now reads from
config instead of using hardcoded values. The average_interval and
max_burst fields are conditionally shown only when rate limiting is
enabled.

Author: Raven95676

astrbot/core/config/default.py

@@ -253,6 +253,11 @@
         "port": 6185,
         "disable_access_log": True,
         "trust_proxy_headers": False,
+        "auth_rate_limit": {
+            "enable": True,
+            "average_interval": 1.0,
+            "max_burst": 3,
+        },
         "totp": {
             "enable": False,
             "secret": "",
@@ -2973,6 +2978,9 @@
             },
             "dashboard.ssl.enable": {"type": "bool"},
             "dashboard.trust_proxy_headers": {"type": "bool"},
+            "dashboard.auth_rate_limit.enable": {"type": "bool"},
+            "dashboard.auth_rate_limit.average_interval": {"type": "float"},
+            "dashboard.auth_rate_limit.max_burst": {"type": "int"},
             "dashboard.ssl.cert_file": {
                 "type": "string",
                 "condition": {"dashboard.ssl.enable": True},
@@ -4220,6 +4228,23 @@
                         "type": "bool",
                         "hint": "关闭时忽略 X-Forwarded-For/X-Real-IP，仅使用连接地址。",
                     },
+                    "dashboard.auth_rate_limit.enable": {
+                        "description": "启用登录验证速率限制",
+                        "type": "bool",
+                        "hint": "关闭后将不对登录、TOTP 等身份验证接口进行速率限制。",
+                    },
+                    "dashboard.auth_rate_limit.average_interval": {
+                        "description": "登录验证速率限制平均间隔(秒)",
+                        "type": "float",
+                        "hint": "两次身份验证请求之间的最小平均间隔时间。例如设置为 1.0 表示每秒最多处理 1 个请求。",
+                        "condition": {"dashboard.auth_rate_limit.enable": True},
+                    },
+                    "dashboard.auth_rate_limit.max_burst": {
+                        "description": "登录验证速率限制最大突发数",
+                        "type": "int",
+                        "hint": "允许的瞬时最大突发请求数。例如设置为 3 表示在短时间内最多连续处理 3 个请求。",
+                        "condition": {"dashboard.auth_rate_limit.enable": True},
+                    },
                     "dashboard.totp.enable": {
                         "description": "启用 WebUI TOTP 双因素认证",
                         "type": "bool",

astrbot/dashboard/server.py

@@ -283,19 +283,31 @@ async def auth_middleware(self):
             os.environ.get("ASTRBOT_TEST_MODE") != "true"
             and request.path in _RATE_LIMITED_ENDPOINTS
         ):
-            client_ip = self._get_request_client_ip()
-            limiter = _rate_limiters.get(client_ip)
-            if limiter is None:
-                limiter = _AuthRateLimiter(capacity=3, refill_rate=1.0)
-                _rate_limiters[client_ip] = limiter
-            if not await limiter.acquire():
-                r = jsonify(
-                    Response()
-                    .error("验证尝试过于频繁，系统可能正在遭受暴力破解")
-                    .__dict__
-                )
-                r.status_code = 429
-                return r
+            rl_config = self.config.get("dashboard", {}).get("auth_rate_limit", {})
+            rl_enabled = rl_config.get("enable", True)
+            if rl_enabled:
+                average_interval = float(rl_config.get("average_interval", 1.0))
+                max_burst = int(rl_config.get("max_burst", 3))
+                if average_interval <= 0:
+                    average_interval = 1.0
+                if max_burst <= 0:
+                    max_burst = 3
+                refill_rate = 1.0 / average_interval
+                client_ip = self._get_request_client_ip()
+                limiter = _rate_limiters.get(client_ip)
+                if limiter is None:
+                    limiter = _AuthRateLimiter(
+                        capacity=max_burst, refill_rate=refill_rate
+                    )
+                    _rate_limiters[client_ip] = limiter
+                if not await limiter.acquire():
+                    r = jsonify(
+                        Response()
+                        .error("验证尝试过于频繁，系统可能正在遭受暴力破解")
+                        .__dict__
+                    )
+                    r.status_code = 429
+                    return r
 
         allowed_exact_endpoints = {
             "/api/auth/login",

dashboard/src/i18n/locales/en-US/features/config-metadata.json

@@ -1092,6 +1092,20 @@
           "description": "Trust Proxy Headers for Client IP",
           "hint": "When disabled, ignore X-Forwarded-For/X-Real-IP and use the connection address only."
         },
+        "auth_rate_limit": {
+          "enable": {
+            "description": "Enable Login Rate Limiting",
+            "hint": "When disabled, authentication endpoints (login, TOTP, etc.) will not be rate-limited."
+          },
+          "average_interval": {
+            "description": "Rate Limit Average Interval (seconds)",
+            "hint": "Minimum average interval between authentication requests. For example, 1.0 means at most 1 request per second."
+          },
+          "max_burst": {
+            "description": "Rate Limit Max Burst",
+            "hint": "Maximum number of consecutive burst requests allowed. For example, 3 allows up to 3 requests in a short burst."
+          }
+        },
         "ssl": {
           "enable": {
             "description": "Enable WebUI HTTPS",

dashboard/src/i18n/locales/ru-RU/features/config-metadata.json

@@ -1093,6 +1093,20 @@
                     "description": "Доверять прокси-заголовкам для IP клиента",
                     "hint": "Если выключено, X-Forwarded-For/X-Real-IP игнорируются и используется только адрес соединения."
                 },
+                "auth_rate_limit": {
+                    "enable": {
+                        "description": "Включить ограничение скорости входа",
+                        "hint": "Если выключено, конечные точки аутентификации (вход, TOTP и т.д.) не будут ограничены по скорости."
+                    },
+                    "average_interval": {
+                        "description": "Средний интервал ограничения скорости (сек)",
+                        "hint": "Минимальный средний интервал между запросами аутентификации. Например, 1.0 означает не более 1 запроса в секунду."
+                    },
+                    "max_burst": {
+                        "description": "Максимальный всплеск ограничения скорости",
+                        "hint": "Максимальное количество последовательных всплесков запросов. Например, 3 допускает до 3 запросов за короткий всплеск."
+                    }
+                },
                 "ssl": {
                     "enable": {
                         "description": "Включить HTTPS для WebUI",

dashboard/src/i18n/locales/zh-CN/features/config-metadata.json

@@ -1094,6 +1094,20 @@
           "description": "信任代理请求头获取客户端 IP",
           "hint": "关闭时忽略 X-Forwarded-For/X-Real-IP，仅使用连接地址。"
         },
+        "auth_rate_limit": {
+          "enable": {
+            "description": "启用登录验证速率限制",
+            "hint": "关闭后将不对登录、TOTP 等身份验证接口进行速率限制。"
+          },
+          "average_interval": {
+            "description": "登录验证速率限制平均间隔(秒)",
+            "hint": "两次身份验证请求之间的最小平均间隔时间。例如设置为 1.0 表示每秒最多处理 1 个请求。"
+          },
+          "max_burst": {
+            "description": "登录验证速率限制最大突发数",
+            "hint": "允许的瞬时最大突发请求数。例如设置为 3 表示在短时间内最多连续处理 3 个请求。"
+          }
+        },
         "ssl": {
           "enable": {
             "description": "启用 WebUI HTTPS",