In AuthenticationFailureEvent handler, LoginFormUsernameResolver returns the parameter _username in the request, this value is inserted into the database. But in all other requests, this parameter may not exist, so canLogin method in BruteForceChecker always returns true because FailureLoginAttemptRepository filters records with null username.
I think FailureLoginAttemptRepository should filter by ip and username only if username is defined, if not, filter by ip only.
In
AuthenticationFailureEvent
handler,LoginFormUsernameResolver
returns the parameter_username
in the request, this value is inserted into the database. But in all other requests, this parameter may not exist, socanLogin
method inBruteForceChecker
always returnstrue
becauseFailureLoginAttemptRepository
filters records with null username.I think
FailureLoginAttemptRepository
should filter byip
andusername
only ifusername
is defined, if not, filter byip
only.