Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add signal for invalid login attempt #214

Open
jameshanlon opened this issue May 26, 2018 · 5 comments
Open

Add signal for invalid login attempt #214

jameshanlon opened this issue May 26, 2018 · 5 comments

Comments

@jameshanlon
Copy link

This is a feature request. Flask-User is entirely vulnerable to brute force password attacks. However, it would be straight forward to add a signal for a failed login attempt to allow users of Flask-Login to implement a mechanism to defend against this.
@CodeRhymesLife
Copy link

CodeRhymesLife commented Aug 14, 2018
edited
Loading

We have the same issue. Adding a bit more info about our specific use case.

ACTUAL:
There isn't an easy way to react to a failed login due to an invalid password. This is important for security. We want to lock a user's account after 5 invalid password attempts but don't have a way to react to a failed login attempt.

EXPECTED:
Easy way to react to failed login due to invalid password.

PROPOSED FIX:
Update LoginForm.validate to fire signal when password verification fails.

Flask-User/flask_user/forms.py

Lines 201 to 203 in a379fa0

# Handle successful authentication
if user and user_manager.verify_password(self.password.data, user.password):
return True # Successful authentication

This was referenced Aug 14, 2018
Merged
Open
@jameshanlon
Copy link
Author

@drryanjames Thanks for fixing this issue. Hopefully it will be merged in soon!

@jameshanlon
Copy link
Author

@lingthio - This issue has been open since May 2018 and represents a significant security consideration for the project. A simple fix has been made and merge request open since August 2018 by @drryanjames. Is there any reason why the fix can't be merged now?

@emin-ec
Copy link

emin-ec commented Jul 11, 2019

I'm curious what the status of this issue and related PR is. This seems like a good fix. Is there a reason why it seems to have been ignored? I guess an alternative is to override the login form in flask security or other tools and react to failed logins that way. It would be nice to have an official solution though or know what the issues are in not having one.

Thanks.

@and-semakin
Copy link
Collaborator

and-semakin commented Nov 24, 2019
edited
Loading

I agree that this is a very important functionality. The only reason it is not yet merged is the lack of maintainers time. I plan to review and merge the PRs that have accumulated over a long time, including #230. We also need to write tests for this feature. Thank you for your patience :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jameshanlon @CodeRhymesLife @and-semakin @emin-ec