fix: deep bug hunt II — concurrency, security & optimization (25 files)

Critical: watchdog mutex panic safety, SetGeoAppOverride nil guard,
SSD-only app DB restore fallback.

High: double deploy race (atomic Deploying flag), delete/remove during
deploy guard, ScanStacks overwrite protection, FileBrowser mount mutex,
PushEvent history, PushOnce error handling, DB dump sync+close before
rename, restic retry fresh context, encrypt failure logging, cross-backup
path traversal validation, deepCopyStack completeness.

Security: constant-time API key comparison, login rate limiting (5/min),
git credential masking in logs, storage path prefix traversal fix.

Concurrency: MigrateEncryption lock ordering, SubdomainInUse I/O outside
lock, scheduler late-registered jobs, SQLite WAL verification, metrics
shutdown context, telemetry scan error logging, asset sync lock scope.

Optimization: streaming file copy for DB dumps, restic stats dedup,
atomic infra config copy.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

controller/internal/web/auth.go

@@ -17,9 +17,17 @@ type session struct {
 	csrfToken string
 }
 
+// loginAttempt tracks failed login attempts for rate limiting.
+type loginAttempt struct {
+	count    int
+	lastFail time.Time
+}
+
 const (
-	sessionCookieName = "felhom_session"
-	sessionMaxAge     = 7 * 24 * time.Hour
+	sessionCookieName   = "felhom_session"
+	sessionMaxAge       = 7 * 24 * time.Hour
+	loginMaxAttempts    = 5
+	loginWindowDuration = 1 * time.Minute
 )
 
 // effectivePasswordHash returns the active password hash using the priority:
@@ -98,13 +106,47 @@ func (s *Server) handleLogin(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Rate limit: check failed attempts from this IP
+	ip := r.RemoteAddr
+	if fwd := r.Header.Get("X-Forwarded-For"); fwd != "" {
+		ip = strings.Split(fwd, ",")[0]
+	}
+	ip = strings.TrimSpace(ip)
+
+	s.loginAttemptMu.Lock()
+	attempt := s.loginAttempts[ip]
+	if attempt != nil && time.Since(attempt.lastFail) > loginWindowDuration {
+		// Window expired — reset
+		attempt = nil
+		delete(s.loginAttempts, ip)
+	}
+	if attempt != nil && attempt.count >= loginMaxAttempts {
+		s.loginAttemptMu.Unlock()
+		s.logger.Printf("[WARN] Login rate limited for %s (%d attempts)", ip, attempt.count)
+		s.renderLogin(w, "Túl sok sikertelen próbálkozás, próbálja újra 1 perc múlva", "")
+		return
+	}
+	s.loginAttemptMu.Unlock()
+
 	effectiveHash := s.effectivePasswordHash()
 	if err := bcrypt.CompareHashAndPassword([]byte(effectiveHash), []byte(password)); err != nil {
 		s.logger.Printf("[WARN] Failed login from %s", r.RemoteAddr)
+		s.loginAttemptMu.Lock()
+		if s.loginAttempts[ip] == nil {
+			s.loginAttempts[ip] = &loginAttempt{}
+		}
+		s.loginAttempts[ip].count++
+		s.loginAttempts[ip].lastFail = time.Now()
+		s.loginAttemptMu.Unlock()
 		s.renderLogin(w, "Hibás jelszó", "")
 		return
 	}
 
+	// Successful login — clear rate limit for this IP
+	s.loginAttemptMu.Lock()
+	delete(s.loginAttempts, ip)
+	s.loginAttemptMu.Unlock()
+
 	token := s.createSession()
 	isSecure := r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https"
 	http.SetCookie(w, &http.Cookie{