Skip to content

[CLOUD-222] auth: add config options for account lockout

Administrator requested to merge jc/CLOUD-222-config-options into main

Created by: unknwon

This PR adds config options for account lockout measures, namely failed attempts threshold, lockout period and consecutive period.

This also fixes a potential server panic due to unexpected usages of log15 package. cc @pietrorosa77

CHANGELOG entry and docs will be updated in a subsequent PR for both CLOUD-222 and CLOUD-277.

Test plan

Unit tests and,

  1. Boot up local instance (doesn't have to be in dotcom mode)
  2. Try wrong password for an existing user for 5 times
  3. On the sixth time, the account lockout error is shown
  4. Try again after 30 minutes (or change the config to 10 seconds) or delete the Redis key v2:account_lockout:<user ID>, the account is unlocked
CleanShot 2022-04-08 at 16 22 57@2x

Merge request reports