Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Account locking failure #4950

Open
zakinadhif opened this issue Jan 30, 2024 · 0 comments · May be fixed by #6052
Open

Account locking failure #4950

zakinadhif opened this issue Jan 30, 2024 · 0 comments · May be fixed by #6052
Assignees
@kendelljoseph
Labels
status: needs-triage Possible bug which hasn't been reproduced yet

Comments

@zakinadhif
Copy link
Contributor

zakinadhif commented Jan 30, 2024
edited

Link to reproduction

No response

Describe the Bug

When a user attempts to login with incorrect credentials numerous times until it surpasses the maxLoginAttempts, Payload tries to lock the account by setting lockUntil to the time specified by lockTime in the config. All goes well up to the point of checking subsequent incorrect login attempts, because of a mismatch in data type when comparing the dates.

https://github.com/payloadcms/payload/blob/main/packages/payload/src/auth/operations/login.ts#L98-L100

user.lockUntil is string, but isLocked expects a number. Because typescript assume user.lockUntil is any, it doesn't catch this error. Thus, doing !!(date && date > Date.now()) always returns false, even when it shouldn't

To Reproduce

Use the blank payloadcms template, then replace

auth: true,

in src/collections/Users.ts, to:

auth: {
  tokenExpiration: 7200,
  maxLoginAttempts: 3,
  lockTime: 100000, // 100 seconds
},

After that, run the cms, and try to login incorrectly 3x times. When you inspect the db, lockUntil is set but payload fails to block subsequent login attempts.

Payload Version

Latest

Adapters and Plugins

No response

Note

I used MongoDB as the database, so I don't know if this also happen in Postgres setup.

Picture of user.lockUntil:
image
@zakinadhif zakinadhif added the status: needs-triage Possible bug which hasn't been reproduced yet label Jan 30, 2024
@Sjoertjuh Sjoertjuh linked a pull request Apr 26, 2024 that will close this issue
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kendelljoseph kendelljoseph

Labels
status: needs-triage Possible bug which hasn't been reproduced yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(login): use correct time for isLocked check Sjoertjuh/payload
2 participants
@kendelljoseph @zakinadhif