libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

KEYCLOAK-10945 Avoid lockout when clicking login twice

Browse source
This commit is contained in:
Kohei Tamura 2019-08-02 17:22:58 +09:00 committed by Stian Thorgersen
parent 6acb87bd7a
commit 59ba874e1d
2 changed files with 10 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java
View file

@ -186,11 +186,19 @@ public abstract class AbstractUsernameFormAuthenticator extends AbstractFormAuth
public boolean validatePassword(AuthenticationFlowContext context, UserModel user, MultivaluedMap<String, String> inputData) {
List<CredentialInput> credentials = new LinkedList<>();
String password = inputData.getFirst(CredentialRepresentation.PASSWORD);
credentials.add(UserCredentialModel.password(password));
if (password == null || password.isEmpty()) {
context.getEvent().user(user);
context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
Response challengeResponse = challenge(context, Messages.INVALID_USER);
context.forceChallenge(challengeResponse);
context.clearUser();
return false;
}
if (isTemporarilyDisabledByBruteForce(context, user)) return false;
if (password != null && !password.isEmpty() && context.getSession().userCredentialManager().isValid(context.getRealm(), user, credentials)) {
credentials.add(UserCredentialModel.password(password));
if (context.getSession().userCredentialManager().isValid(context.getRealm(), user, credentials)) {
return true;
} else {
context.getEvent().user(user);

11
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java
View file

@ -362,17 +362,6 @@ public class BruteForceTest extends AbstractTestRealmKeycloakTest {
clearAllUserFailures();
}
@Test
public void testBrowserMissingPassword() throws Exception {
loginSuccess();
loginMissingPassword();
loginMissingPassword();
expectTemporarilyDisabled();
expectTemporarilyDisabled("test-user@localhost", null, "invalid");
clearUserFailures();
loginSuccess();
}
@Test
public void testBrowserInvalidTotp() throws Exception {
loginSuccess();