Invalidate authentication session on repeated Recovery Code failures
Closes #26180 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
This commit is contained in:
parent
359ccc060d
commit
ffa069a33b
1 changed files with 5 additions and 2 deletions
|
@ -48,13 +48,13 @@ public class RecoveryAuthnCodesFormAuthenticator implements Authenticator {
|
|||
MultivaluedMap<String, String> formParamsMap = authnFlowContext.getHttpRequest().getDecodedFormParameters();
|
||||
String recoveryAuthnCodeUserInput = formParamsMap.getFirst(RecoveryAuthnCodesUtils.FIELD_RECOVERY_CODE_IN_BROWSER_FLOW);
|
||||
|
||||
if (ObjectUtil.isBlank(recoveryAuthnCodeUserInput)) {
|
||||
if (ObjectUtil.isBlank(recoveryAuthnCodeUserInput)
|
||||
|| "true".equals(authnFlowContext.getAuthenticationSession().getAuthNote(AbstractUsernameFormAuthenticator.SESSION_INVALID))) {
|
||||
authnFlowContext.forceChallenge(createLoginForm(authnFlowContext, true,
|
||||
RecoveryAuthnCodesUtils.RECOVERY_AUTHN_CODES_INPUT_DEFAULT_ERROR_MESSAGE,
|
||||
RecoveryAuthnCodesUtils.FIELD_RECOVERY_CODE_IN_BROWSER_FLOW));
|
||||
return result;
|
||||
}
|
||||
RealmModel targetRealm = authnFlowContext.getRealm();
|
||||
UserModel authenticatedUser = authnFlowContext.getUser();
|
||||
if (!isDisabledByBruteForce(authnFlowContext, authenticatedUser)) {
|
||||
boolean isValid = authenticatedUser.credentialManager().isValid(
|
||||
|
@ -82,6 +82,9 @@ public class RecoveryAuthnCodesFormAuthenticator implements Authenticator {
|
|||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
authnFlowContext.getAuthenticationSession().setAuthNote(AbstractUsernameFormAuthenticator.SESSION_INVALID, "true");
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue