Invalidate authentication session on repeated Recovery Code failures

Closes #26180

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
This commit is contained in:
Douglas Palmer 2024-01-13 15:01:46 -08:00 committed by Alexander Schwartz
parent 359ccc060d
commit ffa069a33b

View file

@ -48,13 +48,13 @@ public class RecoveryAuthnCodesFormAuthenticator implements Authenticator {
MultivaluedMap<String, String> formParamsMap = authnFlowContext.getHttpRequest().getDecodedFormParameters();
String recoveryAuthnCodeUserInput = formParamsMap.getFirst(RecoveryAuthnCodesUtils.FIELD_RECOVERY_CODE_IN_BROWSER_FLOW);
if (ObjectUtil.isBlank(recoveryAuthnCodeUserInput)) {
if (ObjectUtil.isBlank(recoveryAuthnCodeUserInput)
|| "true".equals(authnFlowContext.getAuthenticationSession().getAuthNote(AbstractUsernameFormAuthenticator.SESSION_INVALID))) {
authnFlowContext.forceChallenge(createLoginForm(authnFlowContext, true,
RecoveryAuthnCodesUtils.RECOVERY_AUTHN_CODES_INPUT_DEFAULT_ERROR_MESSAGE,
RecoveryAuthnCodesUtils.FIELD_RECOVERY_CODE_IN_BROWSER_FLOW));
return result;
}
RealmModel targetRealm = authnFlowContext.getRealm();
UserModel authenticatedUser = authnFlowContext.getUser();
if (!isDisabledByBruteForce(authnFlowContext, authenticatedUser)) {
boolean isValid = authenticatedUser.credentialManager().isValid(
@ -82,6 +82,9 @@ public class RecoveryAuthnCodesFormAuthenticator implements Authenticator {
}
}
}
else {
authnFlowContext.getAuthenticationSession().setAuthNote(AbstractUsernameFormAuthenticator.SESSION_INVALID, "true");
}
return result;
}