You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a user attempts to login with incorrect credentials numerous times until it surpasses the maxLoginAttempts, Payload tries to lock the account by setting lockUntil to the time specified by lockTime in the config. All goes well up to the point of checking subsequent incorrect login attempts, because of a mismatch in data type when comparing the dates.
user.lockUntil is string, but isLocked expects a number. Because typescript assume user.lockUntil is any, it doesn't catch this error. Thus, doing !!(date && date > Date.now()) always returns false, even when it shouldn't
After that, run the cms, and try to login incorrectly 3x times. When you inspect the db, lockUntil is set but payload fails to block subsequent login attempts.
Payload Version
Latest
Adapters and Plugins
No response
Note
I used MongoDB as the database, so I don't know if this also happen in Postgres setup.
Picture of user.lockUntil:
The text was updated successfully, but these errors were encountered:
Link to reproduction
No response
Describe the Bug
When a user attempts to login with incorrect credentials numerous times until it surpasses the
maxLoginAttempts
, Payload tries to lock the account by settinglockUntil
to the time specified bylockTime
in the config. All goes well up to the point of checking subsequent incorrect login attempts, because of a mismatch in data type when comparing the dates.https://github.com/payloadcms/payload/blob/main/packages/payload/src/auth/operations/login.ts#L98-L100
user.lockUntil
isstring
, butisLocked
expects anumber
. Because typescript assumeuser.lockUntil
isany
, it doesn't catch this error. Thus, doing!!(date && date > Date.now())
always returns false, even when it shouldn'tTo Reproduce
Use the blank payloadcms template, then replace
in
src/collections/Users.ts
, to:After that, run the cms, and try to login incorrectly 3x times. When you inspect the db,
lockUntil
is set but payload fails to block subsequent login attempts.Payload Version
Latest
Adapters and Plugins
No response
Note
I used MongoDB as the database, so I don't know if this also happen in Postgres setup.
Picture of
user.lockUntil
:The text was updated successfully, but these errors were encountered: