fix: Only update user.last_login on successful authentication #1775
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Description
This PR moves one line around so the
user.last_loginfield is only updated when the user has successfully authenticated.Without this PR the
user.last_loginfield is not very useful, as an attacker trying to brute force a login would continuously update thelast_loginfield to the datetime of the latest unsuccessful authentication attempt, instead of the datetime of the last successful authentication attempt. I believe that "login" usually refers to a successful authentication attempt, so this keeps the behavior of the code consistent with the semantics of the field name.I don't have a thorough understanding of what all
user.last_logincould be/is used for, but I can imagine that, when it records the last datetime of successful authentication attempt, it can be combined withuser.fail_login_countto generate an average "brute force rate" for each user between successful logins. Without this PR, it is impossible to collect that data because theuser.last_loginwill almost always be set to the datetime of the latest brute force attempt.I have expanded the docstring to have a more thorough description of the method, and I have added tests for each line and branch of the
BaseSecurityManager.update_user_auth_statmethod so it is now completely covered by tests.ADDITIONAL INFORMATION