Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Maintenance: Refactored handling of login_failed counter.
  • Loading branch information
mgruner committed Jul 4, 2022
1 parent e7b0665 commit 22cd7cc
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 9 deletions.
17 changes: 10 additions & 7 deletions lib/auth.rb
Expand Up @@ -8,6 +8,8 @@ class Auth

attr_accessor :increase_login_failed_attempts

BRUTE_FORCE_SLEEP = 1.second

# Initializes a Auth object for the given user.
#
# @param username [String] the user name for the user object which needs an authentication.
Expand All @@ -28,28 +30,29 @@ def initialize(username, password)
#
# @return [Boolean] true if the user was authenticated, otherwise false.
def valid?
if !auth_user || !auth_user.can_login?
avoid_brute_force_attack
# Wrap in a lock to synchronize concurrent requests.
validated = auth_user&.user&.with_lock do
next false if !auth_user.can_login?
next true if backends.valid?

return false
auth_user.increase_login_failed if increase_login_failed_attempts
false
end

if backends.valid?
if validated
auth_user.update_last_login
return true
end

avoid_brute_force_attack

auth_user.increase_login_failed if increase_login_failed_attempts
false
end

private

# Sleep for a second to avoid brute force attacks.
def avoid_brute_force_attack
sleep 1
sleep BRUTE_FORCE_SLEEP
end

def backends
Expand Down
7 changes: 6 additions & 1 deletion spec/lib/auth_spec.rb
Expand Up @@ -7,6 +7,10 @@
let(:user) { create(:user, password: password) }
let(:instance) { described_class.new(user.login, password) }

before do
stub_const('Auth::BRUTE_FORCE_SLEEP', 0)
end

describe '.valid?' do
it 'responds to valid?' do
expect(instance).to respond_to(:valid?)
Expand Down Expand Up @@ -83,7 +87,8 @@
it 'failed login avoids brute force attack' do
allow(instance).to receive(:sleep)
instance.valid?
expect(instance).to have_received(:sleep).with(1)
# sleep receives the stubbed value.
expect(instance).to have_received(:sleep).with(0)
end
end

Expand Down
2 changes: 1 addition & 1 deletion spec/system/js/q_unit_spec.rb
Expand Up @@ -2,7 +2,7 @@

require 'rails_helper'

RSpec.describe 'QUnit', type: :system, authenticated_as: false, set_up: true, websocket: false, time_zone: 'Europe/London' do
RSpec.describe 'QUnit', type: :system, authenticated_as: false, set_up: true, time_zone: 'Europe/London' do
matcher :pass_qunit_test do
match do
actual.has_css?('.total', wait: 120)
Expand Down

0 comments on commit 22cd7cc

Please sign in to comment.