Brute force protection failed_logins_count incremented by 2

Question

Brute force protection failed_logins_count incremented by 2

ophilbert opened this issue 3 years ago · 3 comments

Hello

Configuration

Sorcery (0.16.3)
Ruby 3.0
Rails 7.0.2.3
MacOS

Context

Brute Force Protection wiki states that the controller should call user.register_failed_login! to increase failed_login_count for user.

It seems to me that a failed login method already handle that. Maybe there's something I didn't understand. I followed the wiki instructions though. Maybe it needs an update or a clarification ?

Expected Behavior

Failed login attempt should increase failed_logins_count by 1

Actual Behavior

Failed login attempt increase failed_logins_count by 2

Steps to Reproduce

Clone the example repo here
Start the server
Create a user with email and password
Login with that user but provide a wrong password
See that 1 failed login is considered as 2 login attempts
Comment user.register_failed_login! in user_sessions_controller.rb
Login with that user but provide a wrong password
See that 1 failed login, is considered as 1 login attempt

Thanks for your help

Answer 1 · 2024-04-17T10:22:49.000Z

@ophilbert Thanks for creating the application to reproduce the issue. It made the investigation easier. It seems that outdated information on the wiki is to blame. Sorcery now automatically increments failed_logins_count inside the login method when a login attempt fails, so there's no need to explicitly call user.register_failed_login!. This has been the case since 2011.

Answer 2 · 2024-04-17T10:33:46.000Z

I see ! The wiki is to blame then. Thanks for taking the time to review this issue.

Answer 3 · 2024-04-24T10:22:36.000Z

I have corrected the wiki. Thank you!