public static BadRequestResponse Locked(DateTime until) { var timeoutSeconds = until - DateTime.UtcNow; var response = new BadUserAuthResponse("locked"); response.Details = new Dictionary <string, object> { { "timeout", (int)timeoutSeconds.TotalSeconds } }; return(response); }
public static async Task <User> UserForUsernameCredential(this Database db, UsernameCredential credential, string password, Database.Session?session = null) { DateTime?until = await db.UserLockedOut(credential.UserId !, session); if (until != null) { throw new HttpError(HttpStatusCode.BadRequest, BadUserAuthResponse.Locked(until.GetValueOrDefault())); } if (!credential.IsValidPassword(password)) { var lockedOut = await db.BadPasswordAuthAttempt(credential.UserId !); if (lockedOut) { // no need to log anything. BadPasswordLockout.BadAuthAttempt() already did. BadAuthCounter.Labels("UserLockedOut").Inc(); } else { db.logger.LogInformation("{UserId} InvalidPassword", credential.UserId); BadAuthCounter.Labels("InvalidPassword").Inc(); } throw new HttpError(HttpStatusCode.BadRequest, BadUserAuthResponse.InvalidCredentials); } var user = await db.Get <User>(credential.UserId !); if (user == null) { // Not sure how this could happen: It means we have a credential for the user, but no user! // How did the credential get there if there's no user? db.logger.LogError("{UserId} UserNotFound from credential", credential.UserId); BadAuthCounter.Labels("UserNotFound").Inc(); throw new HttpError(HttpStatusCode.InternalServerError); } return(user); }