search

parse-community / parse-server

Parse Server for Node.js / Express
https://parseplatform.org
Apache License 2.0
20.92k stars 4.79k forks source link

accountLockout not resetting threshold after configured duration #9386

Open messagenius-admin opened 4 days ago

messagenius-admin commented 4 days ago

When using Account Lockout options, multiple login attempts result in the user being locked out for a specified period. After the lockout duration expires, the app should allow the user to attempt the configured number of login attempts again. However the user is locked out immediately after just one failed login attempt.

Steps to Reproduce

  1. Set the accountLockout config, for example:

    "accountLockout": {
   "duration": 2,
   "threshold": 5 
}

    This sample configuration will lock the user out for 2 minutes after 5 failed attempts.

  2. Perform a login with wrong cretentials, 5 times within 2 minutes.

  3. Observe that you are correctly locked out

  4. Wait for the lockout period to end.

  5. Attempt to log in again using incorrect credentials.

Actual Outcome

The user gets locked out again after a single failed attempt.

Expected Outcome

The user should be able to make the configured number (5 in the above example) of additional attempts before being locked out again.

Environment

Parse Server version: 7.3.0 OS/Host: Any Database: Any Client: Any, including REST

parse-github-assistant[bot] commented 4 days ago

Thanks for opening this issue!

mtrezza commented 4 days ago

Could you submit a PR with and duplicate an existing test for this option, where you test this scenario?