public static BadRequestResponse Locked(DateTime until)
{
var timeoutSeconds = until - DateTime.UtcNow;
var response = new BadUserAuthResponse("locked");
response.Details = new Dictionary <string, object>
{
{ "timeout", (int)timeoutSeconds.TotalSeconds }
};
return(response);
}
public static async Task <User> UserForUsernameCredential(this Database db, UsernameCredential credential, string password, Database.Session?session = null)
{
DateTime?until = await db.UserLockedOut(credential.UserId !, session);
if (until != null)
{
throw new HttpError(HttpStatusCode.BadRequest, BadUserAuthResponse.Locked(until.GetValueOrDefault()));
}
if (!credential.IsValidPassword(password))
{
var lockedOut = await db.BadPasswordAuthAttempt(credential.UserId !);
if (lockedOut)
{
// no need to log anything. BadPasswordLockout.BadAuthAttempt() already did.
BadAuthCounter.Labels("UserLockedOut").Inc();
}
else
{
db.logger.LogInformation("{UserId} InvalidPassword", credential.UserId);
BadAuthCounter.Labels("InvalidPassword").Inc();
}
throw new HttpError(HttpStatusCode.BadRequest, BadUserAuthResponse.InvalidCredentials);
}
var user = await db.Get <User>(credential.UserId !);
if (user == null)
{
// Not sure how this could happen: It means we have a credential for the user, but no user!
// How did the credential get there if there's no user?
db.logger.LogError("{UserId} UserNotFound from credential", credential.UserId);
BadAuthCounter.Labels("UserNotFound").Inc();
throw new HttpError(HttpStatusCode.InternalServerError);
}
return(user);
}
