PhilipSkinner/elemental-lowcode

Account lockouts

Opened this issue · 0 comments

PhilipSkinner commented

Add the ability to enable account lockouts on a per client basis:

{
    "client_id": "interface-community-client",
    ...
    "features": {
        "lockout": {
            "enabled": true,
            "count" : 5,
            "interval" : 300,
            "back_off" : 3600
        }
    }
}

The system must send an email when an account becomes locked. This email template can be hard coded for the time being.

Each account needs to track:

  • The time of the last count failed attempts in an array
  • The time the account is locked until

When a user enters a valid username but an invalid password we must store this failed attempt within the failed attempts array, along with the timestamp when it occured.

If an account has count attempts within the previous interval seconds then the account becomes locked until now() + back_off.

If a user attempts to log into an account where the account locked until is in the future, the system should fail the auth and alert the user with an onscreen error that their account is locked.