diff options
author | Sean McGivern <sean@gitlab.com> | 2016-09-02 14:30:19 +0100 |
---|---|---|
committer | Sean McGivern <sean@gitlab.com> | 2016-10-04 15:01:38 +0100 |
commit | 194fbc3c3d4b068f191fca75488b986df88c5333 (patch) | |
tree | cbb59f0130f665b2abe84d88435a88a011bad762 /app/controllers | |
parent | 66613f1ac9e277da9b68ff6ddbd0fb7eca3507bf (diff) | |
download | gitlab-ce-194fbc3c3d4b068f191fca75488b986df88c5333.tar.gz |
Restrict failed login attempts for users with 2FA
Copy logic from `Devise::Models::Lockable#valid_for_authentication?`, as
our custom login flow with two pages doesn't call this method. This will
increment the failed login counter, and lock the user's account once
they exceed the number of failed attempts.
Also ensure that users who are locked can't continue to submit 2FA
codes.
Diffstat (limited to 'app/controllers')
-rw-r--r-- | app/controllers/concerns/authenticates_with_two_factor.rb | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/app/controllers/concerns/authenticates_with_two_factor.rb b/app/controllers/concerns/authenticates_with_two_factor.rb index d5a8a962662..4c497711fc0 100644 --- a/app/controllers/concerns/authenticates_with_two_factor.rb +++ b/app/controllers/concerns/authenticates_with_two_factor.rb @@ -23,15 +23,24 @@ module AuthenticatesWithTwoFactor # # Returns nil def prompt_for_two_factor(user) + return locked_user_redirect(user) if user.access_locked? + session[:otp_user_id] = user.id setup_u2f_authentication(user) render 'devise/sessions/two_factor' end + def locked_user_redirect(user) + flash.now[:alert] = 'Invalid Login or password' + render 'devise/sessions/new' + end + def authenticate_with_two_factor user = self.resource = find_user - if user_params[:otp_attempt].present? && session[:otp_user_id] + if user.access_locked? + locked_user_redirect(user) + elsif user_params[:otp_attempt].present? && session[:otp_user_id] authenticate_with_two_factor_via_otp(user) elsif user_params[:device_response].present? && session[:otp_user_id] authenticate_with_two_factor_via_u2f(user) @@ -50,8 +59,9 @@ module AuthenticatesWithTwoFactor remember_me(user) if user_params[:remember_me] == '1' sign_in(user) else + user.increment_failed_attempts! flash.now[:alert] = 'Invalid two-factor code.' - render :two_factor + prompt_for_two_factor(user) end end @@ -65,6 +75,7 @@ module AuthenticatesWithTwoFactor remember_me(user) if user_params[:remember_me] == '1' sign_in(user) else + user.increment_failed_attempts! flash.now[:alert] = 'Authentication via U2F device failed.' prompt_for_two_factor(user) end |