[Captcha] Implement failed logins ceiling (#1870)

* [Hacker1] Failed Login Attempts Captcha * [Captcha] Implement failed logins ceiling * Formatting * Updated approach after implementation talks with Kyle * Updated email templates // Updated calling arch for failed attempts * Formatting * Updated 2fa email links * Renamed baserequest methods to better match their actions * EF migrations/scripts * Updated with requested changes * Defaults for MaxiumumFailedLoginAttempts
2025-07-01 16:12:49 -05:00 · 2022-03-02 15:45:00 -06:00
parent 7bdb07da93
commit 19d5817f8f
30 changed files with 3669 additions and 19 deletions
--- a/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs
+++ b/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs
@ -37,10 +37,12 @@ namespace Bit.Core.IdentityServer
            ICurrentContext currentContext,
            GlobalSettings globalSettings,
            IPolicyRepository policyRepository,
-            ICaptchaValidationService captchaValidationService)
+            ICaptchaValidationService captchaValidationService,
+            IUserRepository userRepository)
            : base(userManager, deviceRepository, deviceService, userService, eventService,
                  organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
-                  applicationCacheService, mailService, logger, currentContext, globalSettings, policyRepository)
+                  applicationCacheService, mailService, logger, currentContext, globalSettings, policyRepository,
+                  userRepository, captchaValidationService)
        {
            _userManager = userManager;
            _userService = userService;
@ -60,7 +62,7 @@ namespace Bit.Core.IdentityServer
            string bypassToken = null;
            var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
            var unknownDevice = !await KnownDeviceAsync(user, context.Request);
-            if (unknownDevice && _captchaValidationService.RequireCaptchaValidation(_currentContext))
+            if (unknownDevice && _captchaValidationService.RequireCaptchaValidation(_currentContext, user.FailedLoginCount))
            {
                var captchaResponse = context.Request.Raw["captchaResponse"]?.ToString();

@ -83,7 +85,7 @@ namespace Bit.Core.IdentityServer
                bypassToken = _captchaValidationService.GenerateCaptchaBypassToken(user);
            }

-            await ValidateAsync(context, context.Request);
+            await ValidateAsync(context, context.Request, unknownDevice);
            if (context.Result.CustomResponse != null && bypassToken != null)
            {
                context.Result.CustomResponse["CaptchaBypassToken"] = bypassToken;