Skip to content

Bugfix/stable 3 3/63 fix lock message #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jonasraoni wants to merge 4 commits into
base: stable-3_3
Choose a base branch
from
+53 −23
Open

Bugfix/stable 3 3/63 fix lock message #64

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
cce38ad
#63 Updated resetCount() to drop the record
jonasraoni Mar 30, 2026
eb22f76
#63 Added cleanup method to remove expired entries
jonasraoni Mar 30, 2026
f82c930
#63 Updated code to use the new cleanup method
jonasraoni Mar 30, 2026
f445dde
#63 Added improved message
jonasraoni Mar 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 28 additions & 5 deletions classes/BadpwFailedLoginsDAO.inc.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,10 +81,33 @@ public function getByUsername(string $username) : ?BadpwFailedLogins {
* @return boolean True if reset is successful
*/
public function resetCount(BadpwFailedLogins $badpwObj) : bool {
return $this->update('
UPDATE badpw_failedlogins
SET count = 0
WHERE username = ?
', [$badpwObj->getUsername()]);
return $this->update('DELETE FROM badpw_failedlogins WHERE username = ?', [$badpwObj->getUsername()]);
}

/**
* Cleanup stale failed login attempts.
*
* Rules:
* - If the account is locked (count > $maxRetries), then `failed_login_time` must be old enough
* to satisfy both `$lockExpiresSeconds` and `$lockSeconds`.
* - Otherwise, only `$lockExpiresSeconds` must be respected.
*
* @param int $maxRetries Maximum amount of retries before an account is considered locked
* @param int $lockSeconds Lock duration (seconds)
* @param int $lockExpiresSeconds How long we keep bad-password attempts (seconds)
*/
public function cleanup(int $maxRetries, int $lockSeconds, int $attemptExpiresSeconds): void {
$now = time();
$type = 'date';
$attemptsExpiresAt = $this->convertToDB($now + $attemptExpiresSeconds, $type);
$lockExpiresAt = $this->convertToDB($now + max($attemptExpiresSeconds, $lockSeconds), $type);
$this->update(
'DELETE FROM badpw_failedlogins WHERE failed_login_time >= CASE WHEN count >= ? THEN ? ELSE ? END',
[
$maxRetries,
$lockExpiresAt,
$attemptsExpiresAt
]
);
}
}
41 changes: 24 additions & 17 deletions features/LimitRetry.inc.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@
* @brief Implements the feature to limit retries and lock the account
*/

use Carbon\CarbonInterval;

class LimitRetry {
/** @var int Max amount of retries */
private $_maxRetries;
Expand Down Expand Up @@ -55,28 +57,33 @@ private function _handleTemplateDisplay() : void {
}
/** @var BadpwFailedLoginsDAO */
$badpwFailedLoginsDao = DAORegistry::getDAO('BadpwFailedLoginsDAO');
$badpwFailedLoginsDao->cleanup($this->_maxRetries, $this->_lockSeconds, $this->_lockExpiresSeconds);
$user = $badpwFailedLoginsDao->getByUsername($username);
if (!$user) {
return;
}
$count = $user->getCount();
$time = $user->getFailedTime();

// Discard old bad password attempts
// When the memory has expired
if ($count && $time < time() - $this->_lockExpiresSeconds) {
// And the user is not currently locked
if ($user->getCount() < $this->_maxRetries || $user->getFailedTime() <= time() - $this->_lockSeconds) {
$badpwFailedLoginsDao->resetCount($user);
}
}

// Update the count to represent this failed attempt
$badpwFailedLoginsDao->incCount($user);

$count = $user->getCount() + 1;
// Warn the user if the attempts have been exhausted
if ($count >= $this->_maxRetries) {
$templateManager->assign('error', 'plugins.generic.betterPassword.validation.betterPasswordLocked');
$localeKey = 'plugins.generic.betterPassword.validation.betterPasswordLocked';
$enhancedLocaleKey = "{$localeKey}.enhancedByHook";
HookRegistry::register('PKPLocale::translate', function ($hook, $args) use ($localeKey, $enhancedLocaleKey) {
$key = $args[0];
$value = &$args[4];
if ($key === $enhancedLocaleKey) {
$label = CarbonInterval::seconds(max($this->_lockExpiresSeconds, $this->_lockSeconds))
->cascade()
->locale(AppLocale::getLocale())
->forHumans([
'parts' => 2,
'short' => false,
]);
$value = AppLocale::translate($localeKey, ['remainingTime' => $label]);
return true;
}

return false;
});
$templateManager->assign('error', $enhancedLocaleKey);
}
});
}
Expand Down
2 changes: 1 addition & 1 deletion locale/en_US/locale.po
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ msgid "plugins.generic.betterPassword.validation.betterPasswordCheckBlocklist"
msgstr "Your password was found in a blocklist of known bad passwords."

msgid "plugins.generic.betterPassword.validation.betterPasswordLocked"
msgstr "Your account has been temporarily locked due to bad password attempts."
msgstr "Your account has been temporarily locked due to bad password attempts. It will unlock automatically within {$remainingTime}. For immediate access, use the \"Forgot you password?\" link to reset your password."

msgid "plugins.generic.betterPassword.validation.betterPasswordUnexpectedError"
msgstr "Your password could not be changed at this time. Please try again later."
Expand Down