Login Max count and lockTimeout query

[Team1-epat]

Hi,

I am currently using ckan version 2.10 and successfully setup the ckanext-security (with tag 4.1.0). I tried to set the ckanext.security.login_max_count to 10 in ckan.ini, then I used the ckan website to login 11 times with the incorrect password. On the 12th time, I used the correct password to login and I was directed to the Dataset landing webpage, shouldn't it be that the account is locked out, instead of able to login? Is the behavior correct for login_max_count and ckanext.security.lock_timeout?

I tried to also enter the incorrect password on the 12th time, the error prompt on the website will display "Login failed. Bad username or password", so I am not so sure if the login_max_count is applied on my ckan application.

Could you please kindly advise the correct way of testing the ckanext.security.lock_timeout and ckanext.security.login_max_count settings? to check if these setting is applied correctly?

ckan.ini

# 15 minute timeout with 10 attempts
ckanext.security.lock_timeout = 900               # Login throttling lock period
ckanext.security.login_max_count = 10             # Login throttling attempt limit

[markstuart]

I think I've fixed this issue in #72 ... there is an interaction between the config that disables MFA and the custom authenticator method that meant that even if the LoginThrottle was locked for a user, the user would still get logged in as the custom authenticator would return null and CKAN would fall back to the default authenticator. See a959c2b for more details.

Can you install this plugin at the head of the refactor_mfa branch and test that out please?

[Team1-epat]

Hi, I have tried the refactor_mfa and the login_max_count and the timeout is working fine. May I know whether is there plan to move code change to the master branch?

[markstuart]

Released as 4.1.1