lock accounts after enough failed login attempts

2025-04-29 11:32:48 +01:00 · 2025-04-29 11:32:48 +01:00 · 1c0e541c89
commit 1c0e541c89
parent 5cc9a1ca76
7 changed files with 153 additions and 13 deletions
--- a/admin/http.go
+++ b/admin/http.go
@ -274,11 +274,20 @@ func loginHandler(app *model.AppState) http.Handler {
            render()
            return
        }
+		if account.Locked {
+			controller.SetSessionError(app.DB, session, "This account is locked.")
+			render()
+			return
+		}

        err = bcrypt.CompareHashAndPassword([]byte(account.Password), []byte(password))
        if err != nil {
            app.Log.Warn(log.TYPE_ACCOUNT, "\"%s\" attempted login with incorrect password. (%s)", account.Username, controller.ResolveIP(app, r))
-            controller.SetSessionError(app.DB, session, "Invalid username or password.")
+			if locked := handleFailedLogin(app, account); locked {
+				controller.SetSessionError(app.DB, session, "Too many failed attempts. This account is now locked.")
+			} else {
+				controller.SetSessionError(app.DB, session, "Invalid username or password.")
+			}
            render()
            return
        }
@ -299,6 +308,8 @@ func loginHandler(app *model.AppState) http.Handler {
                render()
                return
            }
+			controller.SetSessionMessage(app.DB, session, "")
+			controller.SetSessionError(app.DB, session, "")
            http.Redirect(w, r, "/admin/totp", http.StatusFound)
            return
        }
@ -377,8 +388,14 @@ func loginTOTPHandler(app *model.AppState) http.Handler {
            return
        }
        if totpMethod == nil {
-            app.Log.Warn(log.TYPE_ACCOUNT, "\"%s\" failed login (Invalid TOTP). (%s)", session.AttemptAccount.Username, controller.ResolveIP(app, r))
-            controller.SetSessionError(app.DB, session, "Invalid TOTP.")
+            app.Log.Warn(log.TYPE_ACCOUNT, "\"%s\" failed login (Incorrect TOTP). (%s)", session.AttemptAccount.Username, controller.ResolveIP(app, r))
+			if locked := handleFailedLogin(app, session.AttemptAccount); locked {
+				controller.SetSessionError(app.DB, session, "Too many failed attempts. This account is now locked.")
+				controller.SetSessionAttemptAccount(app.DB, session, nil)
+				http.Redirect(w, r, "/admin", http.StatusFound)
+			} else {
+				controller.SetSessionError(app.DB, session, "Incorrect TOTP.")
+			}
            render()
            return
        }
@ -496,3 +513,29 @@ func enforceSession(app *model.AppState, next http.Handler) http.Handler {
        next.ServeHTTP(w, r.WithContext(ctx))
    })
 }
+
+func handleFailedLogin(app *model.AppState, account *model.Account) bool {
+	locked, err := controller.IncrementAccountFails(app.DB, account.ID)
+	if err != nil {
+		fmt.Fprintf(
+			os.Stderr,
+			"WARN: Failed to increment login failures for \"%s\": %v\n",
+			account.Username,
+			err,
+		)
+		app.Log.Warn(
+			log.TYPE_ACCOUNT,
+			"Failed to increment login failures for \"%s\"",
+			account.Username,
+		)
+	}
+	if locked {
+		app.Log.Warn(
+			log.TYPE_ACCOUNT,
+			"Account \"%s\" was locked: %d failed login attempts",
+			account.Username,
+			model.MAX_LOGIN_FAIL_ATTEMPTS,
+		)
+	}
+	return locked
+}