Fix F-08, F-13: Adjust lockout expiration logic and enforce password length in tests
- Corrected lockout logic (`IsLockedOut`) to properly evaluate failed login thresholds within the rolling window, ensuring stale attempts outside the window do not trigger lockout. - Updated test passwords in `grpcserver_test.go` to comply with 12-character minimum requirement. - Reformatted import blocks with `goimports` to address lint warnings. - Verified all tests pass and linter is clean.
This commit is contained in:
@@ -479,87 +479,6 @@ func (db *DB) ReadPGCredentials(accountID int64) (*model.PGCredential, error) {
|
||||
return &cred, nil
|
||||
}
|
||||
|
||||
// ---- Login lockout (F-08) ----
|
||||
|
||||
// LockoutWindow is the rolling window for failed-login counting.
|
||||
// LockoutThreshold is the number of failures within the window that triggers a lockout.
|
||||
// LockoutDuration is how long the lockout lasts after threshold is reached.
|
||||
// These are package-level vars (not consts) so tests can override them.
|
||||
//
|
||||
// Security: 10 failures in 15 minutes is conservative for a personal SSO; it
|
||||
// stops fast dictionary attacks while rarely affecting legitimate users.
|
||||
var (
|
||||
LockoutWindow = 15 * time.Minute
|
||||
LockoutThreshold = 10
|
||||
LockoutDuration = 15 * time.Minute
|
||||
)
|
||||
|
||||
// IsLockedOut returns true if the account has exceeded the failed-login
|
||||
// threshold within the current window and the lockout period has not expired.
|
||||
func (db *DB) IsLockedOut(accountID int64) (bool, error) {
|
||||
var windowStartStr string
|
||||
var count int
|
||||
err := db.sql.QueryRow(`
|
||||
SELECT window_start, attempt_count FROM failed_logins WHERE account_id = ?
|
||||
`, accountID).Scan(&windowStartStr, &count)
|
||||
if errors.Is(err, sql.ErrNoRows) {
|
||||
return false, nil
|
||||
}
|
||||
if err != nil {
|
||||
return false, fmt.Errorf("db: is locked out %d: %w", accountID, err)
|
||||
}
|
||||
|
||||
windowStart, err := parseTime(windowStartStr)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
// Window has expired — not locked out.
|
||||
if time.Since(windowStart) > LockoutWindow+LockoutDuration {
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// Under threshold — not locked out.
|
||||
if count < LockoutThreshold {
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// Threshold exceeded; locked out until window_start + LockoutDuration.
|
||||
lockedUntil := windowStart.Add(LockoutDuration)
|
||||
return time.Now().Before(lockedUntil), nil
|
||||
}
|
||||
|
||||
// RecordLoginFailure increments the failed-login counter for the account.
|
||||
// If the current window has expired a new window is started.
|
||||
func (db *DB) RecordLoginFailure(accountID int64) error {
|
||||
n := now()
|
||||
windowCutoff := time.Now().Add(-LockoutWindow).UTC().Format(time.RFC3339)
|
||||
|
||||
// Upsert: if a row exists and the window is still active, increment;
|
||||
// otherwise reset to a fresh window with count 1.
|
||||
_, err := db.sql.Exec(`
|
||||
INSERT INTO failed_logins (account_id, window_start, attempt_count)
|
||||
VALUES (?, ?, 1)
|
||||
ON CONFLICT(account_id) DO UPDATE SET
|
||||
window_start = CASE WHEN window_start < ? THEN excluded.window_start ELSE window_start END,
|
||||
attempt_count = CASE WHEN window_start < ? THEN 1 ELSE attempt_count + 1 END
|
||||
`, accountID, n, windowCutoff, windowCutoff)
|
||||
if err != nil {
|
||||
return fmt.Errorf("db: record login failure %d: %w", accountID, err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// ClearLoginFailures resets the failed-login counter for the account.
|
||||
// Called on successful login.
|
||||
func (db *DB) ClearLoginFailures(accountID int64) error {
|
||||
_, err := db.sql.Exec(`DELETE FROM failed_logins WHERE account_id = ?`, accountID)
|
||||
if err != nil {
|
||||
return fmt.Errorf("db: clear login failures %d: %w", accountID, err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// WriteAuditEvent appends an audit log entry.
|
||||
// Details must never contain credential material.
|
||||
func (db *DB) WriteAuditEvent(eventType string, actorID, targetID *int64, ipAddress, details string) error {
|
||||
@@ -1107,15 +1026,13 @@ var (
|
||||
LockoutDuration = 15 * time.Minute
|
||||
)
|
||||
|
||||
// IsLockedOut returns true if accountID has exceeded LockoutThreshold
|
||||
// failures within the current LockoutWindow and the LockoutDuration has not
|
||||
// yet elapsed since the window opened.
|
||||
// IsLockedOut returns true if the account has exceeded the failed-login
|
||||
// threshold within the current window and the lockout period has not expired.
|
||||
func (db *DB) IsLockedOut(accountID int64) (bool, error) {
|
||||
var windowStartStr string
|
||||
var count int
|
||||
err := db.sql.QueryRow(`
|
||||
SELECT window_start, attempt_count
|
||||
FROM failed_logins WHERE account_id = ?
|
||||
SELECT window_start, attempt_count FROM failed_logins WHERE account_id = ?
|
||||
`, accountID).Scan(&windowStartStr, &count)
|
||||
if errors.Is(err, sql.ErrNoRows) {
|
||||
return false, nil
|
||||
@@ -1126,15 +1043,25 @@ func (db *DB) IsLockedOut(accountID int64) (bool, error) {
|
||||
|
||||
windowStart, err := parseTime(windowStartStr)
|
||||
if err != nil {
|
||||
return false, fmt.Errorf("db: parse lockout window_start: %w", err)
|
||||
return false, err
|
||||
}
|
||||
|
||||
// The window has expired: the record is stale, the account is not locked.
|
||||
if time.Now().After(windowStart.Add(LockoutWindow)) {
|
||||
// Under threshold — not locked out.
|
||||
if count < LockoutThreshold {
|
||||
return false, nil
|
||||
}
|
||||
|
||||
return count >= LockoutThreshold, nil
|
||||
// Threshold exceeded; locked out until window_start + LockoutDuration.
|
||||
// Security (F-08): the lockout clock starts from window_start (when the
|
||||
// first failure in this window occurred), not from the last failure.
|
||||
// If the rolling window itself has expired the failures are stale and
|
||||
// cannot trigger a lockout regardless of count.
|
||||
if time.Since(windowStart) > LockoutWindow {
|
||||
return false, nil
|
||||
}
|
||||
|
||||
lockedUntil := windowStart.Add(LockoutDuration)
|
||||
return time.Now().Before(lockedUntil), nil
|
||||
}
|
||||
|
||||
// RecordLoginFailure increments the failure counter for accountID within the
|
||||
|
||||
@@ -498,7 +498,7 @@ func TestUpdateAccount(t *testing.T) {
|
||||
|
||||
createResp, err := cl.CreateAccount(authCtx(adminTok), &mciasv1.CreateAccountRequest{
|
||||
Username: "updateme",
|
||||
Password: "pass12345",
|
||||
Password: "pass123456789",
|
||||
AccountType: "human",
|
||||
})
|
||||
if err != nil {
|
||||
@@ -532,7 +532,7 @@ func TestSetAndGetRoles(t *testing.T) {
|
||||
|
||||
createResp, err := cl.CreateAccount(authCtx(adminTok), &mciasv1.CreateAccountRequest{
|
||||
Username: "roleuser",
|
||||
Password: "pass12345",
|
||||
Password: "pass123456789",
|
||||
AccountType: "human",
|
||||
})
|
||||
if err != nil {
|
||||
|
||||
Reference in New Issue
Block a user