[Bug 18314] New: Account lockout
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Bug ID: 18314 Summary: Account lockout Change sponsored?: Sponsored Product: Koha Version: unspecified Hardware: All OS: All Status: ASSIGNED Severity: enhancement Priority: P5 - low Component: Patrons Assignee: jonathan.druart@bugs.koha-community.org Reporter: jonathan.druart@bugs.koha-community.org QA Contact: testopia@bugs.koha-community.org CC: gmcharlt@gmail.com, kyle.m.hall@gmail.com To prevent brute force attacks on Koha accounts, staff and opac, we need to implement an account lockout process to Koha. After a number of failed login attempts a users account would become locked. The user would then need to use the reset password functionality to send a reset token to their email account. After a successful password reset the lockout flag would be removed. The number of failed login attempts before lockout will be configurable using a system preference. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Francesco Rivetti <oha@oha.it> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |oha@oha.it --- Comment #1 from Francesco Rivetti <oha@oha.it> --- would be better to have a CAPTCHA after N login attempt/minute from a class C? i'm concerned about "horizontal" brute force attacks, like checking password "1234" against random usernames -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=18298 --- Comment #2 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- (In reply to Francesco Rivetti from comment #1)
would be better to have a CAPTCHA after N login attempt/minute from a class C?
That will not be parted of this enhancement.
i'm concerned about "horizontal" brute force attacks, like checking password "1234" against random usernames
See also bug 18298. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m.de.rooy@rijksmuseum.nl -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #3 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Probably an Architecture patch instead of Patrons? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |18174 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18174 [Bug 18174] Add the Koha::Object->update method -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #4 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 61630 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=61630&action=edit Bug 18314: Add pref FailedLoginAttempts and columns borrowers.login_attempts And of course deletedborrowers.login_attempts -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #5 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 61631 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=61631&action=edit Bug 18314: DBIC schema changes -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #6 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 61632 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=61632&action=edit Bug 18314: Account lockout To prevent brute force attacks on Koha accounts, staff and opac, we need to implement an account lockout process to Koha. After a number of failed login attempts a users account would become locked. The user would then need to use the reset password functionality to send a reset token to their email account. After a successful password reset the lockout flag would be removed. The number of failed login attempts before lockout is configurable using a new system preference 'FailedLoginAttempts'. How does it work? When a patron enter an invalid password, the borrowers.login_attempts value for this patron is incremented. When this value reach the value of the pref FailedLoginAttempts, the password comparison is not done and the authentication is rejected. This login_attempts field is reset when a patron correctly logs in. When the account is locked the patron has to reset his/her password using the OpacResetPassword feature or ask a staff member to generate a new password. If the pref is not set (0, or '') the feature is considered as disabled, but the failed login attempts are stored anyway. Test plan: 0/ Apply patch and execute the update DB entry 1/ Switch on the feature by setting FailedLoginAttempts to 3 2/ Use an invalid password to login at the staff or OPAC interface 3/ After the third consecutive failures, you will be asked to reset your password if OpacResetPassword is set, or contact a staff member 4/ Switch on OpacResetPassword and reset your password 5/ Confirm that you are able to login 6/ Play with the different combinations QA details: The trick happens in C4::Auth::checkpw, to make things clear I had to create a return value (note the awesome name: @return) and replace the 3 successives if statements with elsif. Indeed if one of the condition is reached, it will return inside the given block. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #7 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 61633 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=61633&action=edit Bug 18314: Resetting the password removes the lock When a password is changed (updated by a staff member or using the "recover password via email" feature, the counter/flag needs to be reset. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #8 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 61634 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=61634&action=edit Bug 18314: Add tests -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #9 from David Cook <dcook@prosentient.com.au> --- So happy to see this. I have a number of other tasks to do, but if I can find the time, I'll test this. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Marc Véron <veron@veron.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |veron@veron.ch -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Aleisha Amohia <aleishaamohia@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aleishaamohia@hotmail.com Status|Needs Signoff |Failed QA --- Comment #10 from Aleisha Amohia <aleishaamohia@hotmail.com> --- Hi, patch and db update apply cleanly. I see no change in behaviour in staff client nor opac side. I set the FailedLoginAttempts to 3, but I was able to attempt logging in with the wrong password unlimited times. Also, tests fail: # Subtest: update_password 1..7 ok 1 - Koha::Patron->update_password should warn if the userid is already used by another patron ok 2 - Koha::Patron->update_password should not have updated the userid ok 3 - Koha::Patron->update_password should not have updated the userid # Looks like you planned 7 tests but ran 3. not ok 8 - update_password # Failed test 'update_password' # at t/db_dependent/Koha/Patrons.t line 183. The method update is not covered by tests!# Looks like your test exited with 255 just after 8. Dubious, test returned 255 (wstat 65280, 0xff00) Failed 15/22 subtests Test Summary Report ------------------- t/db_dependent/Koha/Patrons.t (Wstat: 65280 Tests: 8 Failed: 1) Failed test: 8 Non-zero exit status: 255 Parse errors: Bad plan. You planned 22 tests but ran 8. Files=1, Tests=8, 3 wallclock secs ( 0.03 usr 0.01 sys + 1.28 cusr 0.10 csys = 1.42 CPU) Result: FAIL -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #11 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Aleisha, tests pass and everything works for me. Could you double check please? (restart plack and memcached, check dependency, execute updateDB). -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Bug 18314 depends on bug 18174, which changed state. Bug 18174 Summary: Add the Koha::Object->update method https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18174 What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to Master |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 sandboxes@biblibre.com <sandboxes@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sandboxes@biblibre.com Status|Needs Signoff |Signed Off --- Comment #12 from sandboxes@biblibre.com <sandboxes@biblibre.com> --- Patch tested with a sandbox, by Jonathan Field <jonathan.field@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 sandboxes@biblibre.com <sandboxes@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #61630|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 sandboxes@biblibre.com <sandboxes@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #61631|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 sandboxes@biblibre.com <sandboxes@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #61632|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 sandboxes@biblibre.com <sandboxes@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #61633|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 sandboxes@biblibre.com <sandboxes@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #61634|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #13 from sandboxes@biblibre.com <sandboxes@biblibre.com> --- Created attachment 62453 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62453&action=edit Bug 18314: Add pref FailedLoginAttempts and columns borrowers.login_attempts And of course deletedborrowers.login_attempts Signed-off-by: Jonathan Field <jonathan.field@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #14 from sandboxes@biblibre.com <sandboxes@biblibre.com> --- Created attachment 62454 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62454&action=edit Bug 18314: DBIC schema changes Signed-off-by: Jonathan Field <jonathan.field@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #15 from sandboxes@biblibre.com <sandboxes@biblibre.com> --- Created attachment 62455 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62455&action=edit Bug 18314: Account lockout To prevent brute force attacks on Koha accounts, staff and opac, we need to implement an account lockout process to Koha. After a number of failed login attempts a users account would become locked. The user would then need to use the reset password functionality to send a reset token to their email account. After a successful password reset the lockout flag would be removed. The number of failed login attempts before lockout is configurable using a new system preference 'FailedLoginAttempts'. How does it work? When a patron enter an invalid password, the borrowers.login_attempts value for this patron is incremented. When this value reach the value of the pref FailedLoginAttempts, the password comparison is not done and the authentication is rejected. This login_attempts field is reset when a patron correctly logs in. When the account is locked the patron has to reset his/her password using the OpacResetPassword feature or ask a staff member to generate a new password. If the pref is not set (0, or '') the feature is considered as disabled, but the failed login attempts are stored anyway. Test plan: 0/ Apply patch and execute the update DB entry 1/ Switch on the feature by setting FailedLoginAttempts to 3 2/ Use an invalid password to login at the staff or OPAC interface 3/ After the third consecutive failures, you will be asked to reset your password if OpacResetPassword is set, or contact a staff member 4/ Switch on OpacResetPassword and reset your password 5/ Confirm that you are able to login 6/ Play with the different combinations QA details: The trick happens in C4::Auth::checkpw, to make things clear I had to create a return value (note the awesome name: @return) and replace the 3 successives if statements with elsif. Indeed if one of the condition is reached, it will return inside the given block. Signed-off-by: Jonathan Field <jonathan.field@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #16 from sandboxes@biblibre.com <sandboxes@biblibre.com> --- Created attachment 62456 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62456&action=edit Bug 18314: Resetting the password removes the lock When a password is changed (updated by a staff member or using the "recover password via email" feature, the counter/flag needs to be reset. Signed-off-by: Jonathan Field <jonathan.field@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #17 from sandboxes@biblibre.com <sandboxes@biblibre.com> --- Created attachment 62457 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62457&action=edit Bug 18314: Add tests Signed-off-by: Jonathan Field <jonathan.field@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Failed QA CC| |nick@bywatersolutions.com --- Comment #18 from Nick Clemens <nick@bywatersolutions.com> --- I hit a problem here: 1 - Staff/opac fail a logon 2 - Check db login_attempts = 1 3 - Succeed a login 4 - Check db login_attempts = 1 It should reset to zero, but instead accumulates until password reset. I think it would also be good to add a link to the staff side if password reset enabled to point staff member to opac -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #62453|0 |1 is obsolete| | Attachment #62454|0 |1 is obsolete| | Attachment #62455|0 |1 is obsolete| | Attachment #62456|0 |1 is obsolete| | Attachment #62457|0 |1 is obsolete| | --- Comment #19 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 62872 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62872&action=edit Bug 18314: Add pref FailedLoginAttempts and columns borrowers.login_attempts And of course deletedborrowers.login_attempts Signed-off-by: Jonathan Field <jonathan.field@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #20 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 62873 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62873&action=edit Bug 18314: Account lockout To prevent brute force attacks on Koha accounts, staff and opac, we need to implement an account lockout process to Koha. After a number of failed login attempts a users account would become locked. The user would then need to use the reset password functionality to send a reset token to their email account. After a successful password reset the lockout flag would be removed. The number of failed login attempts before lockout is configurable using a new system preference 'FailedLoginAttempts'. How does it work? When a patron enter an invalid password, the borrowers.login_attempts value for this patron is incremented. When this value reach the value of the pref FailedLoginAttempts, the password comparison is not done and the authentication is rejected. This login_attempts field is reset when a patron correctly logs in. When the account is locked the patron has to reset his/her password using the OpacResetPassword feature or ask a staff member to generate a new password. If the pref is not set (0, or '') the feature is considered as disabled, but the failed login attempts are stored anyway. Test plan: 0/ Apply patch and execute the update DB entry 1/ Switch on the feature by setting FailedLoginAttempts to 3 2/ Use an invalid password to login at the staff or OPAC interface 3/ After the third consecutive failures, you will be asked to reset your password if OpacResetPassword is set, or contact a staff member 4/ Switch on OpacResetPassword and reset your password 5/ Confirm that you are able to login 6/ Play with the different combinations QA details: The trick happens in C4::Auth::checkpw, to make things clear I had to create a return value (note the awesome name: @return) and replace the 3 successives if statements with elsif. Indeed if one of the condition is reached, it will return inside the given block. Signed-off-by: Jonathan Field <jonathan.field@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #21 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 62874 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62874&action=edit Bug 18314: Resetting the password removes the lock When a password is changed (updated by a staff member or using the "recover password via email" feature, the counter/flag needs to be reset. Signed-off-by: Jonathan Field <jonathan.field@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #22 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 62875 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62875&action=edit Bug 18314: Add tests Signed-off-by: Jonathan Field <jonathan.field@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #23 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 62876 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62876&action=edit Bug 18314: DBIC schema changes -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #24 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 62877 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62877&action=edit Bug 18314: Fix reset number of login attempts on login success -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #25 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 62878 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62878&action=edit Bug 18314: Add link to 'reset your password' from staff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #26 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- (In reply to Nick Clemens from comment #18)
I hit a problem here: 1 - Staff/opac fail a logon 2 - Check db login_attempts = 1 3 - Succeed a login 4 - Check db login_attempts = 1
It should reset to zero, but instead accumulates until password reset.
Indeed that did not work! Sorry about that, I was sure I tested it.
I think it would also be good to add a link to the staff side if password reset enabled to point staff member to opac
Done! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #62872|0 |1 is obsolete| | Attachment #62873|0 |1 is obsolete| | Attachment #62874|0 |1 is obsolete| | Attachment #62875|0 |1 is obsolete| | Attachment #62876|0 |1 is obsolete| | Attachment #62877|0 |1 is obsolete| | Attachment #62878|0 |1 is obsolete| | --- Comment #27 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 62884 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62884&action=edit Bug 18314: Add pref FailedLoginAttempts and columns borrowers.login_attempts And of course deletedborrowers.login_attempts Signed-off-by: Jonathan Field <jonathan.field@ptfs-europe.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #28 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 62885 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62885&action=edit Bug 18314: Account lockout To prevent brute force attacks on Koha accounts, staff and opac, we need to implement an account lockout process to Koha. After a number of failed login attempts a users account would become locked. The user would then need to use the reset password functionality to send a reset token to their email account. After a successful password reset the lockout flag would be removed. The number of failed login attempts before lockout is configurable using a new system preference 'FailedLoginAttempts'. How does it work? When a patron enter an invalid password, the borrowers.login_attempts value for this patron is incremented. When this value reach the value of the pref FailedLoginAttempts, the password comparison is not done and the authentication is rejected. This login_attempts field is reset when a patron correctly logs in. When the account is locked the patron has to reset his/her password using the OpacResetPassword feature or ask a staff member to generate a new password. If the pref is not set (0, or '') the feature is considered as disabled, but the failed login attempts are stored anyway. Test plan: 0/ Apply patch and execute the update DB entry 1/ Switch on the feature by setting FailedLoginAttempts to 3 2/ Use an invalid password to login at the staff or OPAC interface 3/ After the third consecutive failures, you will be asked to reset your password if OpacResetPassword is set, or contact a staff member 4/ Switch on OpacResetPassword and reset your password 5/ Confirm that you are able to login 6/ Play with the different combinations QA details: The trick happens in C4::Auth::checkpw, to make things clear I had to create a return value (note the awesome name: @return) and replace the 3 successives if statements with elsif. Indeed if one of the condition is reached, it will return inside the given block. Signed-off-by: Jonathan Field <jonathan.field@ptfs-europe.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #29 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 62886 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62886&action=edit Bug 18314: Resetting the password removes the lock When a password is changed (updated by a staff member or using the "recover password via email" feature, the counter/flag needs to be reset. Signed-off-by: Jonathan Field <jonathan.field@ptfs-europe.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #30 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 62887 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62887&action=edit Bug 18314: Add tests Signed-off-by: Jonathan Field <jonathan.field@ptfs-europe.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #31 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 62888 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62888&action=edit Bug 18314: DBIC schema changes Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #32 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 62889 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62889&action=edit Bug 18314: Fix reset number of login attempts on login success Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #33 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 62890 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62890&action=edit Bug 18314: Add link to 'reset your password' from staff Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #34 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 62891 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62891&action=edit Bug 18314 (QA Followup) Use OpacBaseURL for password reset link -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to Master CC| |kyle@bywatersolutions.com --- Comment #35 from Kyle M Hall <kyle@bywatersolutions.com> --- Pushed to master for 17.05, thanks Jonathan, Nick! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|Pushed to Master |RESOLVED CC| |katrin.fischer@bsz-bw.de --- Comment #36 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Like! This won't get ported back to 16.11.x as it is an enhancement. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Oliver Bock <oliver.bock@aei.mpg.de> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=18880 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 --- Comment #37 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- This report causes t/db/SIP/Message.t to fail (quite often) since testbuilder fills login_attempts with a random number. Depends on a pref too btw. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=19003 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |19344 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19344 [Bug 19344] DB fields login_attempts and lang may be inverted -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |19003 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19003 [Bug 19003] Add a TestBuilder default for borrowers.login_attempts -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |18880 See Also|https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=18880 | Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18880 [Bug 18880] Regression breaks local authentication fallback for all external authentications -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |20040 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20040 [Bug 20040] FailedLoginAttempts syspref will lock out users so that they cannot log in unless the syspref is cleared -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |20091 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20091 [Bug 20091] FailedLoginAttempts is not part of NorwegianPatronDatabase pref group -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |21312 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21312 [Bug 21312] Show lockout on Patrons form -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |21311 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21311 [Bug 21311] Remove locked message from opac-auth.tt -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18314 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |25935 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25935 [Bug 25935] Use time-based mechanism for account lockout -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org