Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix brute force vuln due to callbacks not being ran (#235)
The authenticate method previously would return before callbacks executed if an
invalid password was provided, which causes the brute force protection to only
work for the first lockout period, and only resets after a successful login.

Fixes #231
  • Loading branch information
joshbuker committed May 2, 2020
1 parent 6b72ca3 commit 0f116d2
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions lib/sorcery/model.rb
Expand Up @@ -102,10 +102,6 @@ def authenticate(*credentials, &block)

set_encryption_attributes

unless user.valid_password?(credentials[1])
return authentication_response(user: user, failure: :invalid_password, &block)
end

if user.respond_to?(:active_for_authentication?) && !user.active_for_authentication?
return authentication_response(user: user, failure: :inactive, &block)
end
Expand All @@ -118,6 +114,10 @@ def authenticate(*credentials, &block)
end
end

unless user.valid_password?(credentials[1])
return authentication_response(user: user, failure: :invalid_password, &block)
end

authentication_response(user: user, return_value: user, &block)
end

Expand Down

0 comments on commit 0f116d2

Please sign in to comment.