login_attempts_v2.patch - Redmine

               @user.must_change_passwd = false
               if @user.save
                 @token.destroy
                 @user.reset_failed_login_attempts!
                 Mailer.deliver_password_updated(@user, User.current)
                 flash[:notice] = l(:notice_account_password_updated)
                 redirect_to signin_path
-...
         redirect_to signin_path
       end
       # Token based account unlock
       def unlock
         token = Token.find_token('unlock', params[:token].to_s)
         (redirect_to(home_url); return) unless token and !token.expired?
         user = token.user
         (redirect_to(home_url); return) unless user.locked?
         user.reset_failed_login_attempts!
         if user.save
           token.destroy
           flash[:notice] = l(:notice_account_unlocked)
         end
         redirect_to signin_path
       end
       # Sends a new account activation email
       def activation_email
         if session[:registered_user_id] && Setting.self_registration == '1'
-...
         # prevent brute force attacks on the one-time password
         elsif session[:twofa_tries_counter] > 3
           destroy_twofa_session
           @user.add_failed_login_attempts!
           account_locked(@user) and return if @user.locked?
           flash[:error] = l('twofa_too_many_tries')
           redirect_to home_url
         else
           @user.add_failed_login_attempts!
           account_locked(@user) and return if @user.locked?
           flash[:error] = l('twofa_invalid_code')
           redirect_to account_twofa_confirm_path
         end
-...
       end
       def successful_authentication(user)
         user.reset_failed_login_attempts!
         logger.info "Successful authentication for '#{user.login}' from #{request.remote_ip} at #{Time.now.utc}"
         # Valid user
         self.logged_user = user
-...
       end
       def invalid_credentials
         user = User.find_by_login(params[:username].to_s.strip)
         user.add_failed_login_attempts! if user
         account_locked(user) and return if user && user.locked?
         logger.warn "Failed login for '#{params[:username]}' from #{request.remote_ip} at #{Time.now.utc}"
         flash.now[:error] = l(:notice_account_invalid_credentials)
       end

         was_activated = (@user.status_change == [User::STATUS_REGISTERED, User::STATUS_ACTIVE])
         # TODO: Similar to My#account
         @user.pref.safe_attributes = params[:pref]
         # Reset failed_login_attempts if changed from other status to active
         @user.failed_login_attempts = 0 if @user.will_save_change_to_status? && @user.active?
         if @user.save
           @user.pref.save

         register(user, token).deliver_later
       end
       # Builds a mail to user with account unlock link.
       def locked(user, token)
         @token = token
         @url = url_for(controller: 'account', action: 'unlock', token: token.value)
         mail :to => user.mail,
           :subject => l(:mail_subject_locked, Setting.app_title)
       end
       # Sends an mail to user with account unlock link.
+      #
       # Exemple:
       #   Mailer.deliver_locked(user, token)
       def self.deliver_locked(user, token)
         locked(user, token).deliver_later
       end
       # Build a mail to user and the additional recipients given in
       # options[:recipients] about a security related event made by sender.
+      #

app/models/token.rb
41	41	add_action :feeds, max_instances: 1, validity_time: nil
42	42	add_action :recovery, max_instances: 1, validity_time: Proc.new {Token.validity_time}
43	43	add_action :register, max_instances: 1, validity_time: Proc.new {Token.validity_time}
	44	add_action :unlock, max_instances: 1, validity_time: Proc.new {Token.validity_time}
44	45	add_action :session, max_instances: 10, validity_time: nil
45	46	add_action :twofa_backup_code, max_instances: 10, validity_time: nil
46	47

       end
       def activate
         self.failed_login_attempts = 0
         self.status = STATUS_ACTIVE
       end
-...
       end
       def activate!
         self.failed_login_attempts = 0
         update_attribute(:status, STATUS_ACTIVE)
       end
-...
         User.where("created_on < ? AND status = ?", Time.now - age, STATUS_REGISTERED).destroy_all
       end
       def reset_failed_login_attempts!
         return if failed_login_attempts.zero? && self.active?
         self.failed_login_attempts = 0
         self.activate if self.locked?
         self.save!
       end
       def add_failed_login_attempts!
         self.failed_login_attempts = self.failed_login_attempts + 1
         if Setting.max_login_attempts.present? && self.failed_login_attempts > Setting.max_login_attempts.to_i && self.active?
           self.lock_by_failed_login_attempts!
         else
           self.save!
         end
       end
       # Execute in the event of consecutive failed login attempts.
       # Lock user, create unlock token, send email to locked user and send security notification emails to administrators.
       def lock_by_failed_login_attempts!
         self.lock
         token = Token.new(user: self, action: 'unlock')
         self.save! and token.save!
         Mailer.deliver_locked(self, token)
         options = {
           field: User.current.admin? ? :field_admin : :field_user,
           value: login,
           title: :label_user_plural,
           url: {controller: 'users', action: 'index', status: STATUS_LOCKED},
           message: :mail_body_security_notification_locked
+        }
         users = User.active.where(admin: true).to_a
         Mailer.deliver_security_notification(users, User.current, options)
       end
       protected
       def validate_password_length

app/views/mailer/locked.html.erb
	1	<p><%= simple_format(l(:mail_body_locked)) %><br />
	2	<%= link_to @url, @url %></p>

app/views/mailer/locked.text.erb
	1	<%= l(:mail_body_locked) %>
	2	<%= @url %>

       </em>
     </p>
     <p>
       <%= setting_text_field :max_login_attempts, :size => 6 %>
     </p>
     </div>
     <fieldset class="box">

       notice_account_register_done: Account was successfully created. An email containing the instructions to activate your account was sent to %{email}.
       notice_account_not_activated_yet: You haven't activated your account yet. If you want to receive a new activation email, please <a href="%{url}">click this link</a>.
       notice_account_locked: Your account is locked.
       notice_account_unlocked: Your account is unlocked.
       notice_can_t_change_password: This account uses an external authentication source. Impossible to change the password.
       notice_account_lost_email_sent: An email with instructions to choose a new password has been sent to you.
       notice_account_activated: Your account has been activated. You can now log in.
-...
       mail_body_lost_password_validity: 'Please be aware that you may change the password only once using this link.'
       mail_subject_register: "Your %{value} account activation"
       mail_body_register: 'To activate your account, click on the following link:'
       mail_subject_locked: "Your %{value} account locked"
       mail_body_locked: "The account was locked because the number of failed login attempts exceeded a certain number of times.\nIf you are not aware of any login failures, reset your password.\n\nTo unlock your account, click on the following link:"
       mail_body_account_information_external: "You can use your %{value} account to log in."
       mail_body_account_information: Your account information
       mail_subject_account_activation_request: "%{value} account activation request"
-...
       mail_body_security_notification_change_to: "%{field} was changed to %{value}."
       mail_body_security_notification_add: "%{field} %{value} was added."
       mail_body_security_notification_remove: "%{field} %{value} was removed."
       mail_body_security_notification_locked: "%{field} %{value} was locked."
       mail_body_security_notification_notify_enabled: "Email address %{value} now receives notifications."
       mail_body_security_notification_notify_disabled: "Email address %{value} no longer receives notifications."
       mail_body_settings_updated: "The following settings were changed:"
-...
       setting_password_min_length: Minimum password length
       setting_password_required_char_classes : Required character classes for passwords
       setting_lost_password: Allow password reset via email
       setting_max_login_attempts: Max login attempts
       setting_new_project_user_role_id: Role given to a non-admin user who creates a project
       setting_default_projects_modules: Default enabled modules for new projects
       setting_issue_done_ratio: Calculate the issue done ratio with

config/routes.rb
28	28	match 'account/register', :to => 'account#register', :via => [:get, :post], :as => 'register'
29	29	match 'account/lost_password', :to => 'account#lost_password', :via => [:get, :post], :as => 'lost_password'
30	30	match 'account/activate', :to => 'account#activate', :via => :get
	31	match 'account/unlock', :to => 'account#unlock', :via => :get
31	32	get 'account/activation_email', :to => 'account#activation_email', :as => 'activation_email'
32	33
33	34	match '/news/preview', :controller => 'previews', :action => 'news', :as => 'preview_news', :via => [:get, :post, :put, :patch]

       format: int
       default: 0
       security_notifications: 1
     max_login_attempts:
       format: int
       default:
       security_notifications: 1
     # Maximum number of additional email addresses per user
     max_additional_emails:
       format: int

db/migrate/20230808010454_add_failed_login_attempts_to_users.rb
	1	class AddFailedLoginAttemptsToUsers < ActiveRecord::Migration[6.1]
	2	def change
	3	add_column :users, :failed_login_attempts, :integer, default: 0, null: false
	4	end
	5	end

     class AccountControllerTest < Redmine::ControllerTest
       fixtures :users, :email_addresses, :roles
       include Redmine::I18n
       def setup
         User.current = nil
-...
         assert_select 'input[name=username][value=admin]'
         assert_select 'input[name=password]'
         assert_select 'input[name=password][value]', 0
         assert_equal 1, User.find(1).failed_login_attempts
       end
       def test_login_should_reset_failed_login_attempts_when_password_is_correct
         user = User.find(1)
         user.update!(failed_login_attempts: 5, status: User::STATUS_ACTIVE)
         with_settings max_login_attempts: 5 do
           post(
             :login,
             :params => {
               :username => 'admin',
               :password => 'admin'
+            }
+          )
           assert_equal 0, user.reload.failed_login_attempts
           assert user.active?
         end
       end
       def test_login_with_locked_account_should_fail
-...
           :login,
           :params => {
             :username => 'jsmith',
             :password => 'jsmith'
             :password => 'bad'
+          }
+        )
         assert_redirected_to '/login'
-...
         assert_redirected_to '/'
       end
       def test_unlock_should_unlock_user_with_valid_token
         user = User.find(1)
         user.lock
         token = Token.new(user: user, action: 'unlock')
         user.save! and token.save!
         get :unlock, params: { token: token.value }
         assert_redirected_to signin_path
         assert_equal l(:notice_account_unlocked), flash[:notice]
         assert_not user.reload.locked?
         assert_nil Token.find_by(id: token.id)
       end
       def test_unlock_should_redirect_to_home_when_token_is_not_found
         user = User.find(1)
         user.lock
         token = Token.new(user: user, action: 'unlock')
         user.save! and token.save!
         get :unlock, params: { token: 'invalid_token' }
         assert_redirected_to home_url
       end
       def test_unlock_should_redirect_to_home_when_token_is_expired
         user = User.find(1)
         user.lock
         token = Token.new(user: user, action: 'unlock', created_on: 2.days.ago)
         user.save! and token.save!
         get :unlock, params: { token: token.value }
         assert_redirected_to home_url
       end
       def test_activation_email_should_send_an_activation_email
         User.find(2).update_attribute :status, User::STATUS_REGISTERED
         @request.session[:registered_user_id] = 2

           User.prune(7)
         end
       end
       def test_reset_failed_login_attempts_should_set_failed_login_attempts_to_zero_and_activate
         user = User.find(1)
         user.update!(failed_login_attempts: 10, status: User::STATUS_LOCKED)
         user.reset_failed_login_attempts!
         assert_equal 0, user.reload.failed_login_attempts
         assert user.active?
       end
       def test_add_failed_login_attempts_should_increment_failed_attempts_by_one
         user = User.find(1)
         user.update!(failed_login_attempts: 1)
         with_settings max_login_attempts: 5 do
           user.add_failed_login_attempts!
           assert_equal 2, user.failed_login_attempts
           assert user.active?
         end
       end
       def test_add_failed_login_attempts_should_lock_user_after_max_attempts
         user = User.find(1)
         user.update!(failed_login_attempts: 5)
         with_settings max_login_attempts: 5 do
           Mailer.expects(:deliver_locked).at_least_once # call mailer when user locked
           Mailer.expects(:deliver_security_notification).at_least_once # call mailer when user locked
           user.add_failed_login_attempts!
           assert_equal 6, user.failed_login_attempts
           assert user.locked?
           assert Token.exists?(user: user, action: 'unlock') # token for unlock
         end
       end
     end

Project

General

Profile

Redmine

Feature #3096 » login_attempts_v2.patch