// Package lock implements user locking after N bad sign-in attempts. package lock import ( "context" "net/http" "time" "github.com/pkg/errors" "github.com/volatiletech/authboss" ) // Storage key constants const ( StoreAttemptNumber = "attempt_number" StoreAttemptTime = "attempt_time" StoreLocked = "locked" ) var ( errUserMissing = errors.New("user not loaded in BeforeAuth callback") ) func init() { authboss.RegisterModule("lock", &Lock{}) } // Lock module type Lock struct { *authboss.Authboss } // Init the module func (l *Lock) Init(ab *authboss.Authboss) error { l.Authboss = ab l.Events.Before(authboss.EventAuth, l.BeforeAuth) l.Events.Before(authboss.EventOAuth2, l.BeforeAuth) l.Events.After(authboss.EventAuth, l.AfterAuthSuccess) l.Events.After(authboss.EventAuthFail, l.AfterAuthFail) return nil } // BeforeAuth ensures the account is not locked. func (l *Lock) BeforeAuth(w http.ResponseWriter, r *http.Request, handled bool) (bool, error) { user, err := l.Authboss.CurrentUser(r) if err != nil { return false, err } lu := authboss.MustBeLockable(user) if !IsLocked(lu) { return false, nil } ro := authboss.RedirectOptions{ Code: http.StatusTemporaryRedirect, Failure: "Your account is locked. Please contact the administrator.", RedirectPath: l.Authboss.Config.Paths.LockNotOK, } return true, l.Authboss.Config.Core.Redirector.Redirect(w, r, ro) } // AfterAuthSuccess resets the attempt number field. func (l *Lock) AfterAuthSuccess(w http.ResponseWriter, r *http.Request, handled bool) (bool, error) { user, err := l.Authboss.CurrentUser(r) if err != nil { return false, err } lu := authboss.MustBeLockable(user) lu.PutAttemptCount(0) lu.PutLastAttempt(time.Now().UTC()) return false, l.Authboss.Config.Storage.Server.Save(r.Context(), lu) } // AfterAuthFail adjusts the attempt number and time negatively // and locks the user if they're beyond limits. func (l *Lock) AfterAuthFail(w http.ResponseWriter, r *http.Request, handled bool) (bool, error) { user, err := l.Authboss.CurrentUser(r) if err != nil { return false, err } lu := authboss.MustBeLockable(user) last := lu.GetLastAttempt() attempts := lu.GetAttemptCount() attempts++ nowLocked := false if time.Now().UTC().Sub(last) <= l.Modules.LockWindow { if attempts >= l.Modules.LockAfter { lu.PutLocked(time.Now().UTC().Add(l.Modules.LockDuration)) nowLocked = true } lu.PutAttemptCount(attempts) } else { lu.PutAttemptCount(1) } lu.PutLastAttempt(time.Now().UTC()) if err := l.Authboss.Config.Storage.Server.Save(r.Context(), lu); err != nil { return false, err } if !nowLocked { return false, nil } ro := authboss.RedirectOptions{ Code: http.StatusTemporaryRedirect, Failure: "Your account has been locked, please contact the administrator.", RedirectPath: l.Authboss.Config.Paths.LockNotOK, } return true, l.Authboss.Config.Core.Redirector.Redirect(w, r, ro) } // Lock a user manually. func (l *Lock) Lock(ctx context.Context, key string) error { user, err := l.Authboss.Config.Storage.Server.Load(ctx, key) if err != nil { return err } lu := authboss.MustBeLockable(user) lu.PutLocked(time.Now().UTC().Add(l.Authboss.Config.Modules.LockDuration)) return l.Authboss.Config.Storage.Server.Save(ctx, lu) } // Unlock a user that was locked by this module. func (l *Lock) Unlock(ctx context.Context, key string) error { user, err := l.Authboss.Config.Storage.Server.Load(ctx, key) if err != nil { return err } lu := authboss.MustBeLockable(user) // Set the last attempt to be -window*2 to avoid immediately // giving another login failure. Don't reset Locked to Zero time // because some databases may have trouble storing values before // unix_time(0): Jan 1st, 1970 now := time.Now().UTC() lu.PutAttemptCount(0) lu.PutLastAttempt(now.Add(-l.Authboss.Config.Modules.LockWindow * 2)) lu.PutLocked(now.Add(-l.Authboss.Config.Modules.LockDuration)) return l.Authboss.Config.Storage.Server.Save(ctx, lu) } // Middleware ensures that a user is not locked, or else it will intercept the request // and send them to the configured LockNotOK page, this will load the user if he's not been loaded // yet from the session. And panics if it cannot load the user. func Middleware(ab *authboss.Authboss) func(http.Handler) http.Handler { return func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { user := ab.LoadCurrentUserP(&r) lu := authboss.MustBeLockable(user) if !IsLocked(lu) { next.ServeHTTP(w, r) return } logger := ab.RequestLogger(r) logger.Infof("user %s prevented from accessing %s: locked", user.GetPID(), r.URL.Path) ro := authboss.RedirectOptions{ Code: http.StatusTemporaryRedirect, Failure: "Your account has been locked, please contact the administrator.", RedirectPath: ab.Config.Paths.LockNotOK, } ab.Config.Core.Redirector.Redirect(w, r, ro) }) } } // IsLocked checks if a user is locked func IsLocked(lu authboss.LockableUser) bool { return lu.GetLocked().After(time.Now().UTC()) }