In AuthenticationFailureEvent handler, LoginFormUsernameResolver returns the parameter _username in the request, this value is inserted into the database. But in all other requests, this parameter may not exist, so canLogin method in BruteForceChecker always returns true because FailureLoginAttemptRepository filters records with null username.
I think FailureLoginAttemptRepository should filter by ip and username only if username is defined, if not, filter by ip only.
In
AuthenticationFailureEventhandler,LoginFormUsernameResolverreturns the parameter_usernamein the request, this value is inserted into the database. But in all other requests, this parameter may not exist, socanLoginmethod inBruteForceCheckeralways returnstruebecauseFailureLoginAttemptRepositoryfilters records with null username.I think
FailureLoginAttemptRepositoryshould filter byipandusernameonly ifusernameis defined, if not, filter byiponly.