Account lockouts
Opened this issue · 0 comments
PhilipSkinner commented
Add the ability to enable account lockouts on a per client basis:
{
"client_id": "interface-community-client",
...
"features": {
"lockout": {
"enabled": true,
"count" : 5,
"interval" : 300,
"back_off" : 3600
}
}
}
The system must send an email when an account becomes locked. This email template can be hard coded for the time being.
Each account needs to track:
- The time of the last
count
failed attempts in an array - The time the account is locked until
When a user enters a valid username but an invalid password we must store this failed attempt within the failed attempts array, along with the timestamp when it occured.
If an account has count
attempts within the previous interval
seconds then the account becomes locked until now() + back_off
.
If a user attempts to log into an account where the account locked until is in the future, the system should fail the auth and alert the user with an onscreen error that their account is locked.