Reset failed access count on successful login with remembered TFA. (#24860)

Co-authored-by: Stefan Rajkovic <srajkovic@rxsense.com>
This commit is contained in:
Stefan Rajkovic 2020-08-13 16:07:35 -04:00 committed by GitHub
parent ede7d08984
commit 3f6ea38f44
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 24 additions and 10 deletions

View File

@ -378,8 +378,8 @@ namespace Microsoft.AspNetCore.Identity
if (await UserManager.CheckPasswordAsync(user, password)) if (await UserManager.CheckPasswordAsync(user, password))
{ {
var alwaysLockout = AppContext.TryGetSwitch("Microsoft.AspNetCore.Identity.CheckPasswordSignInAlwaysResetLockoutOnSuccess", out var enabled) && enabled; var alwaysLockout = AppContext.TryGetSwitch("Microsoft.AspNetCore.Identity.CheckPasswordSignInAlwaysResetLockoutOnSuccess", out var enabled) && enabled;
// Only reset the lockout when TFA is not enabled when not in quirks mode // Only reset the lockout when not in quirks mode if either TFA is not enabled or the client is remembered for TFA.
if (alwaysLockout || !await IsTfaEnabled(user)) if (alwaysLockout || !await IsTfaEnabled(user) || await IsTwoFactorClientRememberedAsync(user))
{ {
await ResetLockout(user); await ResetLockout(user);
} }

View File

@ -82,7 +82,10 @@
"src\\Security\\Authentication\\OAuth\\src\\Microsoft.AspNetCore.Authentication.OAuth.csproj", "src\\Security\\Authentication\\OAuth\\src\\Microsoft.AspNetCore.Authentication.OAuth.csproj",
"src\\Mvc\\Mvc.NewtonsoftJson\\src\\Microsoft.AspNetCore.Mvc.NewtonsoftJson.csproj", "src\\Mvc\\Mvc.NewtonsoftJson\\src\\Microsoft.AspNetCore.Mvc.NewtonsoftJson.csproj",
"src\\Features\\JsonPatch\\src\\Microsoft.AspNetCore.JsonPatch.csproj", "src\\Features\\JsonPatch\\src\\Microsoft.AspNetCore.JsonPatch.csproj",
"src\\Mvc\\Mvc.Testing\\src\\Microsoft.AspNetCore.Mvc.Testing.csproj" "src\\Mvc\\Mvc.Testing\\src\\Microsoft.AspNetCore.Mvc.Testing.csproj",
"src\\ObjectPool\\src\\Microsoft.Extensions.ObjectPool.csproj",
"src\\Http\\Metadata\\src\\Microsoft.AspNetCore.Metadata.csproj",
"src\\Localization\\Abstractions\\src\\Microsoft.Extensions.Localization.Abstractions.csproj"
] ]
} }
} }

View File

@ -267,9 +267,10 @@ namespace Microsoft.AspNetCore.Identity.Test
} }
[Theory] [Theory]
[InlineData(true)] [InlineData(true, true)]
[InlineData(false)] [InlineData(true, false)]
public async Task CheckPasswordOnlyResetLockoutWhenTfaNotEnabled(bool tfaEnabled) [InlineData(false, false)]
public async Task CheckPasswordOnlyResetLockoutWhenTfaNotEnabledOrRemembered(bool tfaEnabled, bool tfaRemembered)
{ {
// Setup // Setup
var user = new PocoUser { UserName = "Foo" }; var user = new PocoUser { UserName = "Foo" };
@ -279,20 +280,30 @@ namespace Microsoft.AspNetCore.Identity.Test
manager.Setup(m => m.SupportsUserTwoFactor).Returns(tfaEnabled).Verifiable(); manager.Setup(m => m.SupportsUserTwoFactor).Returns(tfaEnabled).Verifiable();
manager.Setup(m => m.CheckPasswordAsync(user, "password")).ReturnsAsync(true).Verifiable(); manager.Setup(m => m.CheckPasswordAsync(user, "password")).ReturnsAsync(true).Verifiable();
var context = new DefaultHttpContext();
var auth = MockAuth(context);
if (tfaEnabled) if (tfaEnabled)
{ {
manager.Setup(m => m.GetTwoFactorEnabledAsync(user)).ReturnsAsync(true).Verifiable(); manager.Setup(m => m.GetTwoFactorEnabledAsync(user)).ReturnsAsync(true).Verifiable();
manager.Setup(m => m.GetValidTwoFactorProvidersAsync(user)).ReturnsAsync(new string[1] {"Fake"}).Verifiable(); manager.Setup(m => m.GetValidTwoFactorProvidersAsync(user)).ReturnsAsync(new string[1] {"Fake"}).Verifiable();
} }
else
if (tfaRemembered)
{
var id = new ClaimsIdentity(IdentityConstants.TwoFactorRememberMeScheme);
id.AddClaim(new Claim(ClaimTypes.Name, user.Id));
auth.Setup(a => a.AuthenticateAsync(context, IdentityConstants.TwoFactorRememberMeScheme))
.ReturnsAsync(AuthenticateResult.Success(new AuthenticationTicket(new ClaimsPrincipal(id), null, IdentityConstants.TwoFactorRememberMeScheme))).Verifiable();
}
if (!tfaEnabled || tfaRemembered)
{ {
manager.Setup(m => m.ResetAccessFailedCountAsync(user)).ReturnsAsync(IdentityResult.Success).Verifiable(); manager.Setup(m => m.ResetAccessFailedCountAsync(user)).ReturnsAsync(IdentityResult.Success).Verifiable();
} }
var context = new DefaultHttpContext();
var helper = SetupSignInManager(manager.Object, context);
// Act // Act
var helper = SetupSignInManager(manager.Object, context);
var result = await helper.CheckPasswordSignInAsync(user, "password", false); var result = await helper.CheckPasswordSignInAsync(user, "password", false);
// Assert // Assert