Apply brute login policy on failed login

jvillafanez commented 1 year ago

Due to changes in OC 10.12 (not released yet), the behavior of the app has changed. This PR will bring back the old behavior.

OC versions 10.11 and earlier trigger a pre-login event and then a failed login event if needed. The brute login policy was applied only on the pre-login event, which happened even if the login failed afterwards.

With OC 10.12, the pre-login event happens after most of the checks have been done. This means that if the login fails, a failed login event will be triggered but not a pre-login event. This change in the order of the events causes problems with the app behavior.

In order to fix this issue, the brute login policy will also be applied when a login fails. Note that the failed login won't be registered if it happened during the ban period (no change in the behavior)

This change is expected to be backwards compatible.

ownclouders commented 1 year ago

:boom: Acceptance tests pipeline webUIBruteForce-master-firefox-mariadb10.2-php7.4 failed. The build has been cancelled.

https://drone.owncloud.com/owncloud/brute_force_protection/2207/13

saw-jan commented 1 year ago

@jvillafanez Could you rebase with the master and push Locally, all tests pass. But with this fix PR, the last scenario should fail.

jvillafanez commented 1 year ago

rebased

saw-jan commented 1 year ago

rebased

I checked it locally. I think I messed up some setups previously. The fix works very well :+1:. The problem with the CI is that the ban information from the above scenario is also passed down to the next test scenario. Is there any command to reset that information? @jvillafanez

saw-jan commented 1 year ago