[GH-ISSUE #4006] [FEAT]: 401 response for failed authentication at /api/request-token #2545

Closed
opened 2026-02-22 18:30:09 -05:00 by yindo · 1 comment
Owner

Originally created by @Tarkva on GitHub (Jun 14, 2025).
Original GitHub issue: https://github.com/Mintplex-Labs/anything-llm/issues/4006

What would you like to see?

Hi!

I am a semi-serious vibe coder. This is my first post on github. So, I got AnythingLLM running on a private server. NICE! But the thing is, it really has no build in security, so i tried to implement fail2ban to prevent brute force attacks. OK? Problem is, the failed login attempts still return a 200 OK so it is quite difficult to latch onto something which would definitively prove a failed login. Am I making sense? I just started vibe coding last week so excuse me.

Originally created by @Tarkva on GitHub (Jun 14, 2025). Original GitHub issue: https://github.com/Mintplex-Labs/anything-llm/issues/4006 ### What would you like to see? Hi! I am a semi-serious vibe coder. This is my first post on github. So, I got AnythingLLM running on a private server. NICE! But the thing is, it really has no build in security, so i tried to implement fail2ban to prevent brute force attacks. OK? Problem is, the failed login attempts still return a 200 OK so it is quite difficult to latch onto something which would definitively prove a failed login. Am I making sense? I just started vibe coding last week so excuse me.
yindo added the enhancementfeature request labels 2026-02-22 18:30:09 -05:00
yindo closed this issue 2026-02-22 18:30:09 -05:00
Author
Owner

@timothycarambat commented on GitHub (Jun 15, 2025):

it really has no built-in security,

Open settings > Security and turn on password or multi-user mode. That will then allow request token to even produce a token since without password/MuM there is nothing to authenticate.

As for adding to fail2ban or any other "web-admin" tooling into the software we leave this up to the discretion of the webadmin to implement these items or processes themselves are either the webservice level or in a custom fork. Everyone has a preference, and rebuilding these features into the core app service is more to maintain and also opens us to thousands of feature requests from "Add my way" kind of requests for every single amalgamation of tooling.

So instead, we are OSS and you can fork and add that ability or customize it on your deployment level via NGINX or whatever way you would like to deploy! This is ultimately far easier for us to maintain so we spend time on the core offering and not building a touchpoint for every opioniated implmentation that isnt core to the main application

@timothycarambat commented on GitHub (Jun 15, 2025): > it really has no built-in security, Open settings > Security and turn on password or multi-user mode. That will then allow request token to even produce a token since without password/MuM there is nothing to authenticate. As for adding to fail2ban or any other "web-admin" tooling into the software we leave this up to the discretion of the webadmin to implement these items or processes themselves are either the webservice level or in a custom fork. Everyone has a preference, and rebuilding these features into the core app service is more to maintain and also opens us to thousands of feature requests from "Add my way" kind of requests for every single amalgamation of tooling. So instead, we are OSS and you can fork and add that ability or customize it on your deployment level via NGINX or whatever way you would like to deploy! This is ultimately far easier for us to maintain so we spend time on the core offering and not building a touchpoint for every opioniated implmentation that isnt core to the main application
yindo changed title from [FEAT]: 401 response for failed authentication at /api/request-token to [GH-ISSUE #4006] [FEAT]: 401 response for failed authentication at /api/request-token 2026-06-05 14:47:11 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Mintplex-Labs/anything-llm#2545