Defer cors to host/middleware/user code

author: vnugent <public@vaughnnugent.com> 2023-03-25 14:25:21 -0400
committer: vnugent <public@vaughnnugent.com> 2023-03-25 14:25:21 -0400
commit: 1dc1ac2e53f25528aacd1510da928d5f56e3dad7 (patch)
tree: ce8ed59ec116fe615f4bdb70099ac641da3f0153 /plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints
parent: 78901f761e5b8358d02d1841bee4c60d97c94760 (diff)
2 files changed, 16 insertions, 10 deletions
diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LoginEndpoint.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LoginEndpoint.cs
index ea6bab1..062ed93 100644
--- a/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LoginEndpoint.cs
+++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LoginEndpoint.cs
@@ -53,7 +53,7 @@ namespace VNLib.Plugins.Essentials.Accounts.Endpoints
     [ConfigurationName("login_endpoint")]
     internal sealed class LoginEndpoint : UnprotectedWebEndpoint
     {
-        public const string INVALID_MESSAGE = "Please check your email or password.";
+        public const string INVALID_MESSAGE = "Please check your email or password. You may get locked out.";
         public const string LOCKED_ACCOUNT_MESSAGE = "You have been timed out, please try again later";
         public const string MFA_ERROR_MESSAGE = "Invalid or expired request.";
 
@@ -159,7 +159,7 @@ namespace VNLib.Plugins.Essentials.Accounts.Endpoints
                 }
 
                 //Inc failed login count
-                user.FailedLoginIncrement();
+                user.FailedLoginIncrement(entity.RequestedTimeUtc);
                 webm.Result = INVALID_MESSAGE;
 
             Cleanup:
@@ -181,8 +181,10 @@ namespace VNLib.Plugins.Essentials.Accounts.Endpoints
             {
                 return false;
             }
-            //Reset flc for account
-            user.FailedLoginCount(0);
+
+            //Reset flc for account, either the user will be authorized, or the mfa will be triggered, but the flc should be reset
+            user.ClearFailedLoginCount();
+
             try
             {
                 if (user.Status == UserStatus.Active)
@@ -342,7 +344,7 @@ namespace VNLib.Plugins.Essentials.Accounts.Endpoints
                         {
                             webm.Result = "Please check your code.";
                             //Increment flc and update the user in the store
-                            user.FailedLoginIncrement();                           
+                            user.FailedLoginIncrement(entity.RequestedTimeUtc);                           
                             return;
                         }
                         //Valid, complete                         
@@ -401,7 +403,7 @@ namespace VNLib.Plugins.Essentials.Accounts.Endpoints
             if (flc.LastModified.Add(FailedCountTimeout) < now)
             {
                 //clear flc flag
-                user.FailedLoginCount(0);
+                user.ClearFailedLoginCount();
                 return false;
             }
 
diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/PkiLoginEndpoint.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/PkiLoginEndpoint.cs
index 06ccd60..e7c8a86 100644
--- a/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/PkiLoginEndpoint.cs
+++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/PkiLoginEndpoint.cs
@@ -120,7 +120,7 @@ namespace VNLib.Plugins.Essentials.Accounts.Endpoints
             JsonWebToken jwt;
             try
             {
-                //We can try to recover the jwt data
+                //We can try to recover the jwt data, if the data is invalid, 
                 jwt = JsonWebToken.Parse(login.LoginJwt);
             }
             catch (KeyNotFoundException)
@@ -197,7 +197,7 @@ namespace VNLib.Plugins.Essentials.Accounts.Endpoints
                 if (webm.Assert(user.PKIVerifyUserJWT(jwt, authInfo.KeyId) == true, INVALID_MESSAGE))
                 {
                     //increment flc on invalid signature
-                    user.FailedLoginIncrement();
+                    user.FailedLoginIncrement(entity.RequestedTimeUtc);
                     await user.ReleaseAsync();
 
                     entity.CloseResponse(webm);
@@ -399,7 +399,7 @@ namespace VNLib.Plugins.Essentials.Accounts.Endpoints
             if (flc.LastModified.AddSeconds(_config.FailedCountTimeoutSec) < now)
             {
                 //clear flc flag
-                user.FailedLoginCount(0);
+                user.ClearFailedLoginCount();
                 return false;
             }
 
@@ -430,7 +430,11 @@ namespace VNLib.Plugins.Essentials.Accounts.Endpoints
                 RuleFor(l => l.LoginJwt)
                     .NotEmpty()
                     .MinimumLength(50)
-                    .IllegalCharacters();
+                    //Token should not contain illegal chars, only base64url + '.'
+                    .IllegalCharacters()
+                    //Make sure the jwt contains exacly 2 '.' chracters
+                    .Must(static l => l.Where(static c => c == '.').Count() == 2)
+                    .WithMessage("Your credential is not a valid Json Web Token");
             }
         }
author	vnugent <public@vaughnnugent.com>	2023-03-25 14:25:21 -0400
committer	vnugent <public@vaughnnugent.com>	2023-03-25 14:25:21 -0400
commit	1dc1ac2e53f25528aacd1510da928d5f56e3dad7 (patch)
tree	ce8ed59ec116fe615f4bdb70099ac641da3f0153 /plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints
parent	78901f761e5b8358d02d1841bee4c60d97c94760 (diff)