Skip to content

[MEDIUM][Security] In-Memory User Store Without Password Complexity or Brute-Force Protection #160

Open
Open
[MEDIUM][Security] In-Memory User Store Without Password Complexity or Brute-Force Protection#160
Labels
category: securitySecurity-related issueenhancementNew feature or requestseverity: mediumMedium priority issuetruenas-mcpIssues specific to TrueNAS MCP server
@filthyrake

Description

@filthyrake
filthyrake
opened on Dec 29, 2025

Summary

The create_user method in JWTAuthManager accepts any password without complexity validation. Combined with the in-memory user store (no account lockout, no failed attempt tracking), this makes brute-force attacks more feasible.

Affected Files

  • truenas-mcp/src/auth.py (lines 496-524)

Impact

  • Weak passwords could be easily guessed
  • No protection against brute-force attacks
  • No rate limiting to authentication endpoints

Recommended Fix

  1. Add password complexity validation (minimum length, character diversity)
  2. Implement account lockout after N failed attempts
  3. Add rate limiting to authentication endpoints
  4. Consider using an external identity provider for production

References

  • CWE-521 (Weak Password Requirements)
  • CWE-307 (Improper Restriction of Excessive Authentication Attempts)

🤖 Generated with Claude Code

Metadata

Metadata

Assignees

No one assigned

    Labels

    category: securitySecurity-related issueenhancementNew feature or requestseverity: mediumMedium priority issuetruenas-mcpIssues specific to TrueNAS MCP server

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions