Join GitHub today
Failcounter increments on every token without a PIN when the user= arg only has a <space> #1227
The failcounter increments on every token without a PIN when the user= parameter just has a .
What did you try to do?
Have tokens without PIN, for example in our setup we have HOTP, TOTP and VASCO tokens without PIN.
For example with httpie:
Or with curl:
This will return: "wrong otp value" and increment all failcounters by 1.
What outcome did you expect?
Since the user= parameter does not match any user in privacyidea with a token, i was expecting it to just deny/drop the request.
What outcome did you experience?
All tokens verifications were blocked because all failcounters where incremented to their current max of 10. And any valid check would output the following "matching 1 tokens, Failcounter exceeded".
Tested on privacyIDEA 2.22 and 2.23.1.
I'm suspecting something wrong in the logic of privacyidea/lib/token.py#L2205, so that this is matching all tokens without a PIN.