server: users are now locked according to the number of attempts for a given ip

bumped server version to 1.11.6

server: users are now locked according to the number of attempts for a given ip
ab5a566b · Florent Gluck · df90f138 · ab5a566b · ab5a566b
Commit ab5a566b authored 1 month ago by Florent Gluck
--- a/src/server/router/auth.go
+++ b/src/server/router/auth.go
@@ -27,7 +27,12 @@ type auth struct {
 	tokenAccess middleware.JWTConfig
 }

-var loginAttempts map[string]int // Number of consecutive wrong logins for the same user
+type userRequest struct {
+	email string
+	ip    string
+}
+
+var loginAttempts map[userRequest]int // Number of consecutive wrong logins for the same user
 var loginAttemptsMutex *sync.Mutex

 var lockedUsers map[string]time.Time // Locked users and timestamps when their accounts were locked
@@ -37,7 +42,7 @@ var jwtSecretKey string

 // Creates an auth object.
 func NewAuth(u *users.Users) (*auth, error) {
-	loginAttempts = make(map[string]int)
+	loginAttempts = make(map[userRequest]int)
 	loginAttemptsMutex = new(sync.Mutex)
 	lockedUsers = make(map[string]time.Time)
 	lockedUsersMutex = new(sync.Mutex)
@@ -115,20 +120,21 @@ func (auth *auth) Login(c echo.Context) error {
 	err = bcrypt.CompareHashAndPassword([]byte(user.Pwd), []byte(reqUser.Pwd))

 	// If err == nil, passwords match!
+	userReq := userRequest{email: user.Email, ip: c.RealIP()}
 	if err == nil {
 		loginAttemptsMutex.Lock()
-		loginAttempts[user.Email] = 0
+		loginAttempts[userReq] = 0
 		loginAttemptsMutex.Unlock()
 	} else {
 		// Stores the number of attempted logins.
 		loginAttemptsMutex.Lock()
-		count, found := loginAttempts[user.Email]
+		count, found := loginAttempts[userReq]
 		if found {
 			count = count + 1
 		} else {
 			count = 1
 		}
-		loginAttempts[user.Email] = count
+		loginAttempts[userReq] = count
 		loginAttemptsMutex.Unlock()
 		log.Info("Login attempt ", count, " for user ", user.Email, ", source ip=", c.RealIP())
 		if count > conf.Auth.MaxLoginAttempts {
@@ -207,7 +213,8 @@ func UnlockUser(c echo.Context, emailToUnlock string) error {
 		// unlock user by removing it from the locked map
 		delete(lockedUsers, emailToUnlock)
 		loginAttemptsMutex.Lock()
-		loginAttempts[emailToUnlock] = 0 // reset the number of attempts
+		userReq := userRequest{email: userEmail, ip: c.RealIP()}
+		loginAttempts[userReq] = 0 // reset the number of attempts
 		loginAttemptsMutex.Unlock()
 		log.Info("User ", userEmail, " unlocked user ", emailToUnlock, ", source ip=", c.RealIP())
 		return nil

--- a/src/server/version/version.go
+++ b/src/server/version/version.go
@@ -7,7 +7,7 @@ import (
 const (
 	major  = 1
 	minor  = 11
-	bugfix = 5
+	bugfix = 6
 )

 var version params.Version = params.NewVersion(major, minor, bugfix)