Follow the instructions in this guide -> https://fusionauth.io/docs/lifecycle/authenticate-users/setting-up-user-account-lockout. For the purposes of this report, let us say that we will allow the user three failed login attempts in a 60 minute window before applying an action that would prevent login. The duration of this action will be set for five minutes.
Proceed to enter incorrect credentials for a user until this user is "actioned" and this action is set to prevent login. That is, enter failing password credentials 3 times in 60 minutes. Confirm that the user is actioned in the Admin UI for five minutes.
Now that the user is actioned for five minutes, immediately cancel the action on the user (in the Admin UI or otherwise).
Immediately attempt to login again with incorrect credentials from the same user in step one after canceling the action.
Observe the user account is immediately locked again. The expectation is the user should be able to reattempt login two more times before being locked once more. In other words, the failed login counter on the Authorize page is not resetting in conjunction with a cancelled action. This might be by design, but if so, this design should consider a change.
Expected Behavior - I would expect that if I cancel an action on a user, that user would be able to attempt a failed login the total number of times allowed by the policy and not be immediately actioned.
What happened?
In other words, the failed login counter on the Authorize page is not resetting in conjunction with a cancelled action. This might be by design, but if so, this design should consider a change.
Expected Behavior - I would expect that if I cancel an action on a user, that user would be able to attempt a failed login the total number of times allowed by the policy and not be immediately actioned.
Version
1.48.3
Affects Versions
No response