local-it/vikunja-api
0
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Notify the user after three failed login attempts

Browse source
This commit is contained in:
kolaente 2021-07-30 15:01:04 +02:00
parent 220f43331f
commit d746c1bede
No known key found for this signature in database
GPG key ID: F40E70337AB24C9B
4 changed files with 84 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
pkg/routes/api/v1/login.go
View file

@ -92,6 +92,9 @@ func Login(c echo.Context) error {
if err := keyvalue.Del(user.GetFailedTOTPAttemptsKey()); err != nil { if err := keyvalue.Del(user.GetFailedTOTPAttemptsKey()); err != nil {
return err return err
} }
if err := keyvalue.Del(user.GetFailedPasswordAttemptsKey()); err != nil {
return err
}
if err := s.Commit(); err != nil { if err := s.Commit(); err != nil {
_ = s.Rollback() _ = s.Rollback()

26
pkg/user/notifications.go
View file

@ -160,3 +160,29 @@ func (n *PasswordAccountLockedAfterInvalidTOTOPNotification) ToDB() interface{}
func (n *PasswordAccountLockedAfterInvalidTOTOPNotification) Name() string { func (n *PasswordAccountLockedAfterInvalidTOTOPNotification) Name() string {
return "password.account.locked.after.invalid.totop" return "password.account.locked.after.invalid.totop"
} }
// FailedLoginAttemptNotification represents a FailedLoginAttemptNotification notification
type FailedLoginAttemptNotification struct {
User *User
}
// ToMail returns the mail notification for FailedLoginAttemptNotification
func (n *FailedLoginAttemptNotification) ToMail() *notifications.Mail {
return notifications.NewMail().
Subject("Someone just tried to login to your Vikunja account, but failed to provide a correct password").
Greeting("Hi "+n.User.GetName()+",").
Line("Someone just tried to log in into your account with a wrong password three times in a row.").
Line("If this was not you, this could be someone else trying to break into your account.").
Line("To enhance the security of you account you may want to set a stronger password or enable TOTP authentication in the settings:").
Action("Go to settings", config.ServiceFrontendurl.GetString()+"user/settings")
}
// ToDB returns the FailedLoginAttemptNotification notification in a format which can be saved in the db
func (n *FailedLoginAttemptNotification) ToDB() interface{} {
return nil
}
// Name returns the name of the notification
func (n *FailedLoginAttemptNotification) Name() string {
return "failed.login.attempt"
}

13
pkg/user/totp.go
View file

@ -18,12 +18,10 @@ package user
import ( import (
"image" "image"
"strconv"
"code.vikunja.io/api/pkg/modules/keyvalue"
"code.vikunja.io/api/pkg/config" "code.vikunja.io/api/pkg/config"
"code.vikunja.io/api/pkg/log" "code.vikunja.io/api/pkg/log"
"code.vikunja.io/api/pkg/modules/keyvalue"
"code.vikunja.io/api/pkg/notifications" "code.vikunja.io/api/pkg/notifications"
"github.com/pquerna/otp" "github.com/pquerna/otp"
@ -155,10 +153,6 @@ func GetTOTPQrCodeForUser(s *xorm.Session, user *User) (qrcode image.Image, err
return key.Image(300, 300) return key.Image(300, 300)
} }
func (u *User) GetFailedTOTPAttemptsKey() string {
return "failed_totp_attempts_" + strconv.FormatInt(u.ID, 10)
}
// HandleFailedTOTPAuth handles informing the user of failed TOTP attempts and blocking the account after 10 attempts // HandleFailedTOTPAuth handles informing the user of failed TOTP attempts and blocking the account after 10 attempts
func HandleFailedTOTPAuth(s *xorm.Session, user *User) { func HandleFailedTOTPAuth(s *xorm.Session, user *User) {
log.Errorf("Invalid TOTP credentials provided for user %d", user.ID) log.Errorf("Invalid TOTP credentials provided for user %d", user.ID)
@ -167,11 +161,13 @@ func HandleFailedTOTPAuth(s *xorm.Session, user *User) {
err := keyvalue.IncrBy(key, 1) err := keyvalue.IncrBy(key, 1)
if err != nil { if err != nil {
log.Errorf("Could not increase failed TOTP attempts for user %d: %s", user.ID, err) log.Errorf("Could not increase failed TOTP attempts for user %d: %s", user.ID, err)
return
} }
a, _, err := keyvalue.Get(key) a, _, err := keyvalue.Get(key)
if err != nil { if err != nil {
log.Errorf("Could get failed TOTP attempts for user %d: %s", user.ID, err) log.Errorf("Could get failed TOTP attempts for user %d: %s", user.ID, err)
return
} }
attempts := a.(int64) attempts := a.(int64)
@ -179,6 +175,7 @@ func HandleFailedTOTPAuth(s *xorm.Session, user *User) {
err = notifications.Notify(user, &InvalidTOTPNotification{User: user}) err = notifications.Notify(user, &InvalidTOTPNotification{User: user})
if err != nil { if err != nil {
log.Errorf("Could not send failed TOTP notification to user %d: %s", user.ID, err) log.Errorf("Could not send failed TOTP notification to user %d: %s", user.ID, err)
return
} }
} }
@ -190,12 +187,14 @@ func HandleFailedTOTPAuth(s *xorm.Session, user *User) {
err = RequestUserPasswordResetToken(s, user) err = RequestUserPasswordResetToken(s, user)
if err != nil { if err != nil {
log.Errorf("Could not reset password of user %d after 10 failed TOTP attempts: %s", user.ID, err) log.Errorf("Could not reset password of user %d after 10 failed TOTP attempts: %s", user.ID, err)
return
} }
err = notifications.Notify(user, &PasswordAccountLockedAfterInvalidTOTOPNotification{ err = notifications.Notify(user, &PasswordAccountLockedAfterInvalidTOTOPNotification{
User: user, User: user,
}) })
if err != nil { if err != nil {
log.Errorf("Could send password information mail to user %d after 10 failed TOTP attempts: %s", user.ID, err) log.Errorf("Could send password information mail to user %d after 10 failed TOTP attempts: %s", user.ID, err)
return
} }
err = user.SetStatus(s, StatusDisabled) err = user.SetStatus(s, StatusDisabled)
if err != nil { if err != nil {

52
pkg/user/user.go
View file

@ -20,18 +20,20 @@ import (
"errors" "errors"
"fmt" "fmt"
"reflect" "reflect"
"strconv"
"time" "time"
"code.vikunja.io/api/pkg/config" "code.vikunja.io/api/pkg/config"
"code.vikunja.io/api/pkg/db" "code.vikunja.io/api/pkg/db"
"code.vikunja.io/api/pkg/log"
"xorm.io/xorm" "code.vikunja.io/api/pkg/modules/keyvalue"
"code.vikunja.io/api/pkg/notifications"
"code.vikunja.io/web" "code.vikunja.io/web"
"github.com/golang-jwt/jwt" "github.com/golang-jwt/jwt"
"github.com/labstack/echo/v4" "github.com/labstack/echo/v4"
"golang.org/x/crypto/bcrypt" "golang.org/x/crypto/bcrypt"
"xorm.io/xorm"
) )
// Login Object to recive user credentials in JSON format // Login Object to recive user credentials in JSON format
@ -146,6 +148,14 @@ func (u *User) GetNameAndFromEmail() string {
return u.GetName() + " via Vikunja <" + config.MailerFromEmail.GetString() + ">" return u.GetName() + " via Vikunja <" + config.MailerFromEmail.GetString() + ">"
} }
func (u *User) GetFailedTOTPAttemptsKey() string {
return "failed_totp_attempts_" + strconv.FormatInt(u.ID, 10)
}
func (u *User) GetFailedPasswordAttemptsKey() string {
return "failed_password_attempts_" + strconv.FormatInt(u.ID, 10)
}
// GetFromAuth returns a user object from a web.Auth object and returns an error if the underlying type // GetFromAuth returns a user object from a web.Auth object and returns an error if the underlying type
// is not a user object // is not a user object
func GetFromAuth(a web.Auth) (*User, error) { func GetFromAuth(a web.Auth) (*User, error) {
@ -302,12 +312,48 @@ func CheckUserCredentials(s *xorm.Session, u *Login) (*User, error) {
// Check the users password // Check the users password
err = CheckUserPassword(user, u.Password) err = CheckUserPassword(user, u.Password)
if err != nil { if err != nil {
if IsErrWrongUsernameOrPassword(err) {
handleFailedPassword(user)
}
return nil, err return nil, err
} }
return user, nil return user, nil
} }
func handleFailedPassword(user *User) {
key := user.GetFailedPasswordAttemptsKey()
err := keyvalue.IncrBy(key, 1)
if err != nil {
log.Errorf("Could not set failed password attempts: %s", err)
return
}
a, _, err := keyvalue.Get(key)
if err != nil {
log.Errorf("Could get failed password attempts for user %d: %s", user.ID, err)
return
}
attempts := a.(int64)
if attempts != 3 {
return
}
err = notifications.Notify(user, &FailedLoginAttemptNotification{
User: user,
})
if err != nil {
log.Errorf("Could not send invalid password mail to user: %s", err)
return
}
err = keyvalue.Del(key)
if err != nil {
log.Errorf("Could not remove failed password attempts: %s", err)
return
}
}
// CheckUserPassword checks and verifies a user's password. The user object needs to contain the hashed password from the database. // CheckUserPassword checks and verifies a user's password. The user object needs to contain the hashed password from the database.
func CheckUserPassword(user *User, password string) error { func CheckUserPassword(user *User, password string) error {
err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password)) err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password))