search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
728 stars 713 forks source link

SMS OTP account locked error is displayed as a something went wrong as multi options #15208

Open mpmadhavig opened 1 year ago

mpmadhavig commented 1 year ago

Describe the issue: When an application is configured with MFA as sign in options and for the 2nd factor, if we configure multiple options such as sms OTP and TOTP if the user get locked out for inserting invalid sms OTPs the error should display that the user is locked out for x many minutes. Instead the error displays something went wrong.

How To Reproduce:

  1. Create an application.
  2. Add sms OTP and TOTP as the 2nd factor of the sign-in methods.
  3. Save the application.
  4. Configure the client application with the correct client id and base url.
  5. Try sign in.
  6. For the 2nd factor choose email otp.
  7. Give invalid codes for email OTP input.
  8. After your final attempt you will get directed to a something went wrong page.

Expected behavior: The error message should be you got locked out for x many minutes.

Environment information

mpmadhavig commented 1 year ago

Fixed with

mpmadhavig commented 1 year ago

Peer Verification Steps

  1. Create an SP app.
  2. Configure an SMS OTP provider using this link.
  3. Configure SMS OTP as the 2nd factor of the sign-in flow
  4. Configure some other authenticator as another option. (in this case let's add TOTP)
  5. Create a User and add a valid mobile number.
  6. Goto Manage -> Login Attempt Security
  7. Enable Account locking functionality.
  8. Update Maximum failed login attempts = 1 and Initial account lock duration = 1.
  9. Save changes.
  10. Download the sample app and configure the app with the relavant details such as Client ID and base URL.
  11. Start the react server and login to the applocation.
  12. Add valid username and password.
  13. Add an invalid OTP 1 time.
  14. An error message should apear which says the account has been locked for 1 minute(s).
mpmadhavig commented 1 year ago

Verified with product-is build #4415

https://user-images.githubusercontent.com/47152272/207047247-9c728b1b-3f79-4239-a9ce-b4dfe45a8f9c.mov