From 59ba874e1db2fc13a26af6686c1b5823ab83ef73 Mon Sep 17 00:00:00 2001
From: Kohei Tamura <ktamura.biz.80@gmail.com>
Date: Fri, 2 Aug 2019 17:22:58 +0900
Subject: [PATCH] KEYCLOAK-10945 Avoid lockout when clicking login twice

---
 .../browser/AbstractUsernameFormAuthenticator.java   | 12 ++++++++++--
 .../org/keycloak/testsuite/forms/BruteForceTest.java | 11 -----------
 2 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java
index eac2558b0b..815c19e06b 100755
--- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java
@@ -186,11 +186,19 @@ public abstract class AbstractUsernameFormAuthenticator extends AbstractFormAuth
     public boolean validatePassword(AuthenticationFlowContext context, UserModel user, MultivaluedMap<String, String> inputData) {
         List<CredentialInput> credentials = new LinkedList<>();
         String password = inputData.getFirst(CredentialRepresentation.PASSWORD);
-        credentials.add(UserCredentialModel.password(password));
+        if (password == null || password.isEmpty()) {
+            context.getEvent().user(user);
+            context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
+            Response challengeResponse = challenge(context, Messages.INVALID_USER);
+            context.forceChallenge(challengeResponse);
+            context.clearUser();
+            return false;
+        }
 
         if (isTemporarilyDisabledByBruteForce(context, user)) return false;
 
-        if (password != null && !password.isEmpty() && context.getSession().userCredentialManager().isValid(context.getRealm(), user, credentials)) {
+        credentials.add(UserCredentialModel.password(password));
+        if (context.getSession().userCredentialManager().isValid(context.getRealm(), user, credentials)) {
             return true;
         } else {
             context.getEvent().user(user);
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java
index 5ccb869c3c..ad93f416ae 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java
@@ -362,17 +362,6 @@ public class BruteForceTest extends AbstractTestRealmKeycloakTest {
         clearAllUserFailures();
     }
 
-    @Test
-    public void testBrowserMissingPassword() throws Exception {
-        loginSuccess();
-        loginMissingPassword();
-        loginMissingPassword();
-        expectTemporarilyDisabled();
-        expectTemporarilyDisabled("test-user@localhost", null, "invalid");
-        clearUserFailures();
-        loginSuccess();
-    }
-
     @Test
     public void testBrowserInvalidTotp() throws Exception {
         loginSuccess();