From 1dc1ac2e53f25528aacd1510da928d5f56e3dad7 Mon Sep 17 00:00:00 2001 From: vnugent Date: Sat, 25 Mar 2023 14:25:21 -0400 Subject: Defer cors to host/middleware/user code --- .../src/Endpoints/LoginEndpoint.cs | 14 ++++++++------ .../src/Endpoints/PkiLoginEndpoint.cs | 12 ++++++++---- 2 files changed, 16 insertions(+), 10 deletions(-) (limited to 'plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints') diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LoginEndpoint.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LoginEndpoint.cs index ea6bab1..062ed93 100644 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LoginEndpoint.cs +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LoginEndpoint.cs @@ -53,7 +53,7 @@ namespace VNLib.Plugins.Essentials.Accounts.Endpoints [ConfigurationName("login_endpoint")] internal sealed class LoginEndpoint : UnprotectedWebEndpoint { - public const string INVALID_MESSAGE = "Please check your email or password."; + public const string INVALID_MESSAGE = "Please check your email or password. You may get locked out."; public const string LOCKED_ACCOUNT_MESSAGE = "You have been timed out, please try again later"; public const string MFA_ERROR_MESSAGE = "Invalid or expired request."; @@ -159,7 +159,7 @@ namespace VNLib.Plugins.Essentials.Accounts.Endpoints } //Inc failed login count - user.FailedLoginIncrement(); + user.FailedLoginIncrement(entity.RequestedTimeUtc); webm.Result = INVALID_MESSAGE; Cleanup: @@ -181,8 +181,10 @@ namespace VNLib.Plugins.Essentials.Accounts.Endpoints { return false; } - //Reset flc for account - user.FailedLoginCount(0); + + //Reset flc for account, either the user will be authorized, or the mfa will be triggered, but the flc should be reset + user.ClearFailedLoginCount(); + try { if (user.Status == UserStatus.Active) @@ -342,7 +344,7 @@ namespace VNLib.Plugins.Essentials.Accounts.Endpoints { webm.Result = "Please check your code."; //Increment flc and update the user in the store - user.FailedLoginIncrement(); + user.FailedLoginIncrement(entity.RequestedTimeUtc); return; } //Valid, complete @@ -401,7 +403,7 @@ namespace VNLib.Plugins.Essentials.Accounts.Endpoints if (flc.LastModified.Add(FailedCountTimeout) < now) { //clear flc flag - user.FailedLoginCount(0); + user.ClearFailedLoginCount(); return false; } diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/PkiLoginEndpoint.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/PkiLoginEndpoint.cs index 06ccd60..e7c8a86 100644 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/PkiLoginEndpoint.cs +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/PkiLoginEndpoint.cs @@ -120,7 +120,7 @@ namespace VNLib.Plugins.Essentials.Accounts.Endpoints JsonWebToken jwt; try { - //We can try to recover the jwt data + //We can try to recover the jwt data, if the data is invalid, jwt = JsonWebToken.Parse(login.LoginJwt); } catch (KeyNotFoundException) @@ -197,7 +197,7 @@ namespace VNLib.Plugins.Essentials.Accounts.Endpoints if (webm.Assert(user.PKIVerifyUserJWT(jwt, authInfo.KeyId) == true, INVALID_MESSAGE)) { //increment flc on invalid signature - user.FailedLoginIncrement(); + user.FailedLoginIncrement(entity.RequestedTimeUtc); await user.ReleaseAsync(); entity.CloseResponse(webm); @@ -399,7 +399,7 @@ namespace VNLib.Plugins.Essentials.Accounts.Endpoints if (flc.LastModified.AddSeconds(_config.FailedCountTimeoutSec) < now) { //clear flc flag - user.FailedLoginCount(0); + user.ClearFailedLoginCount(); return false; } @@ -430,7 +430,11 @@ namespace VNLib.Plugins.Essentials.Accounts.Endpoints RuleFor(l => l.LoginJwt) .NotEmpty() .MinimumLength(50) - .IllegalCharacters(); + //Token should not contain illegal chars, only base64url + '.' + .IllegalCharacters() + //Make sure the jwt contains exacly 2 '.' chracters + .Must(static l => l.Where(static c => c == '.').Count() == 2) + .WithMessage("Your credential is not a valid Json Web Token"); } } -- cgit