Skip to content

feat(auth): tell user if they are locked out (new pr, had to switch up branches) #1776

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

feat(auth): tell user if they are locked out (new pr, had to switch up branches) #1776

wants to merge 1 commit into from

Conversation

amcsz
Copy link
Member

@amcsz amcsz commented May 1, 2025

Closes #1749

Proposed changes

  • New state added to PamAuthenticationResult to indicate that the user is locked out.
  • The authenticate method will update the session data, prompting the index view to show a message to the user, telling them they are locked out. The message goes away once the user reloads the page and will only appear when the user attempts to login while locked out.
  • The authenticate method is called in the post_view and the request object is passed through so it is able to access the session data.

Brief description of rationale

The user will know that they are locked out instead of just knowing that the login did not work.

The specific PAM error message when a user is locked out is at line 65 at this link:
https://github.com/linux-pam/linux-pam/blob/master/libpam/pam_strerror.c

@amcsz amcsz requested a review from a team as a code owner May 1, 2025 22:56
@coveralls
Copy link

coveralls commented May 1, 2025
edited
Loading

Coverage Status

coverage: 79.379% (-0.02%) from 79.398%
when pulling 78adf1d on amcsz:pamlockout
into 0d8ccc3 on tjcsl:dev.

alanzhu0
alanzhu0 requested changes May 19, 2025
View reviewed changes
Copy link
Member

@alanzhu0 alanzhu0 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Sam, sorry for the delayed review. This is a great start. Please see the comments.
I finally got a chance to check PAM on our systems, and unfortunately it doesn't return a special status code for locked out users by default. I need to modify the backend authentication mechanism on our servers for it to work. But I did get the modified version to work, which is good. Please make the following changes, which are specific to our configuration:

  • Line 75: replace the existing line with this: result = pam_authenticator.authenticate(full_username, password, service="ion-login")
  • The return code from pam_authenticator will be 6 for locked out users ("permission denied"). You can just check if pam_authenticator.code == 6: [do locked out users logic]

I can explain how I configured the PAM backend sometime if you want me to.

Thanks!

@amcsz
Copy link
Member Author

amcsz commented May 21, 2025
edited
Loading

Thanks for the review! I edited the code to how you configured it and I think everything should work now, hopefully. I also squashed all the commits.

@aarushtools aarushtools reopened this Aug 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alanzhu0 alanzhu0 alanzhu0 requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Tell users if their account has been locked due to too many login attempts
4 participants
@amcsz @coveralls @alanzhu0 @aarushtools