md.asif5/yume_js
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix : users are locked after three failed login attempts.

Browse Source
This commit is contained in:
nabanita.jana
2025-10-21 16:41:54 +05:30
parent 75ebcf8407
commit 96af9ff264
1 changed files with 30 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
src/controllers/auth.controller.js
View File

@@ -11,7 +11,7 @@ const { setJson, getJson } = require('../config/redis');
async function login(req, res) {
const { customerNo, password, otp } = req.body;
const loginType = req.headers['x-login-type'] || 'standard';
if (!customerNo || !password) {
return res.status(400).json({ error: 'customerNo and password are required' });
@@ -24,17 +24,18 @@ async function login(req, res) {
// --- Step 1: Check if user is already locked ---
const blockedKey = `login:blocked:${customerNo}`;
const attemptsKey = `login:attempts:${customerNo}`;
console.log("hi",blockedKey);
console.log("attempt Key",attemptsKey);
// check DB locked flag
const userCheck = await authService.findUserByCustomerNo(customerNo);
if (userCheck && userCheck.locked) {
await setJson(blockedKey, true, BLOCK_DURATION);
return res.status(423).json({
error: 'Your account is locked. Please contact the administrator.',
});
if (loginType.toUpperCase() === 'IB') {
// check DB locked flag
if (userCheck && userCheck.locked) {
await setJson(blockedKey, true, BLOCK_DURATION);
return res.status(423).json({
error: 'Your account is locked. Please contact the administrator.',
});
}
}
// --- Step 2: Check migration status
@@ -46,36 +47,30 @@ async function login(req, res) {
const user = await authService.validateUser(customerNo, password);
if (!user) {
// Invalid credentials: increment Redis counter
let attempts = (await getJson(attemptsKey)) || 0;
attempts += 1;
if (loginType.toUpperCase() === 'IB') {
let attempts = (await getJson(attemptsKey)) || 0;
attempts += 1;
if (attempts >= MAX_ATTEMPTS) {
// lock the account in DB
await db.query('UPDATE users SET locked = true WHERE customer_no = $1', [customerNo]);
if (attempts >= MAX_ATTEMPTS) {
await db.query('UPDATE users SET locked = true WHERE customer_no = $1', [customerNo]);
await setJson(blockedKey, true, BLOCK_DURATION);
await setJson(attemptsKey, 0);
// mark as blocked in Redis
await setJson(blockedKey, true, BLOCK_DURATION);
// clear attempts counter
await setJson(attemptsKey, 0);
logger.warn(`User ${customerNo} account locked after ${MAX_ATTEMPTS} failed attempts.`);
return res.status(423).json({
error:'Your account has been locked due to multiple failed login attempts. Please contact the administrator.',
});
}
else {
// Save the incremented attempt count with TTL (optional 15 mins)
await setJson(attemptsKey, attempts, BLOCK_DURATION);
return res.status(401).json({
error: `Invalid credentials. ${MAX_ATTEMPTS - attempts} attempt(s) remaining.`,
});
return res.status(423).json({
error: 'Your account has been locked due to multiple failed login attempts. Please contact the administrator.',
});
} else {
await setJson(attemptsKey, attempts, BLOCK_DURATION);
return res.status(401).json({
error: `Invalid credentials. ${MAX_ATTEMPTS - attempts} attempt(s) remaining.`,
});
}
} else {
return res.status(401).json({ error: 'Invalid credentials.' });
}
}
// --- Step 4: If login successful, reset Redis attempts ---
await setJson(attemptsKey, 0); // reset counter