From 96af9ff26404d12ab3f46f7d678fe045ccc3e9db Mon Sep 17 00:00:00 2001 From: "nabanita.jana" Date: Tue, 21 Oct 2025 16:41:54 +0530 Subject: [PATCH] fix : users are locked after three failed login attempts. --- src/controllers/auth.controller.js | 65 ++++++++++++++---------------- 1 file changed, 30 insertions(+), 35 deletions(-) diff --git a/src/controllers/auth.controller.js b/src/controllers/auth.controller.js index 0b049de..2a3dc46 100644 --- a/src/controllers/auth.controller.js +++ b/src/controllers/auth.controller.js @@ -11,7 +11,7 @@ const { setJson, getJson } = require('../config/redis'); async function login(req, res) { const { customerNo, password, otp } = req.body; const loginType = req.headers['x-login-type'] || 'standard'; - + if (!customerNo || !password) { return res.status(400).json({ error: 'customerNo and password are required' }); @@ -24,17 +24,18 @@ async function login(req, res) { // --- Step 1: Check if user is already locked --- const blockedKey = `login:blocked:${customerNo}`; const attemptsKey = `login:attempts:${customerNo}`; - console.log("hi",blockedKey); - console.log("attempt Key",attemptsKey); - - // check DB locked flag + const userCheck = await authService.findUserByCustomerNo(customerNo); - if (userCheck && userCheck.locked) { - await setJson(blockedKey, true, BLOCK_DURATION); - return res.status(423).json({ - error: 'Your account is locked. Please contact the administrator.', - }); + + if (loginType.toUpperCase() === 'IB') { + // check DB locked flag + if (userCheck && userCheck.locked) { + await setJson(blockedKey, true, BLOCK_DURATION); + return res.status(423).json({ + error: 'Your account is locked. Please contact the administrator.', + }); + } } // --- Step 2: Check migration status @@ -46,36 +47,30 @@ async function login(req, res) { const user = await authService.validateUser(customerNo, password); if (!user) { - // Invalid credentials: increment Redis counter - let attempts = (await getJson(attemptsKey)) || 0; - attempts += 1; + if (loginType.toUpperCase() === 'IB') { + let attempts = (await getJson(attemptsKey)) || 0; + attempts += 1; - if (attempts >= MAX_ATTEMPTS) { - // lock the account in DB - await db.query('UPDATE users SET locked = true WHERE customer_no = $1', [customerNo]); + if (attempts >= MAX_ATTEMPTS) { + await db.query('UPDATE users SET locked = true WHERE customer_no = $1', [customerNo]); + await setJson(blockedKey, true, BLOCK_DURATION); + await setJson(attemptsKey, 0); - // mark as blocked in Redis - await setJson(blockedKey, true, BLOCK_DURATION); - - // clear attempts counter - await setJson(attemptsKey, 0); - - logger.warn(`User ${customerNo} account locked after ${MAX_ATTEMPTS} failed attempts.`); - - return res.status(423).json({ - error:'Your account has been locked due to multiple failed login attempts. Please contact the administrator.', - }); - } - else { - // Save the incremented attempt count with TTL (optional 15 mins) - await setJson(attemptsKey, attempts, BLOCK_DURATION); - - return res.status(401).json({ - error: `Invalid credentials. ${MAX_ATTEMPTS - attempts} attempt(s) remaining.`, - }); + return res.status(423).json({ + error: 'Your account has been locked due to multiple failed login attempts. Please contact the administrator.', + }); + } else { + await setJson(attemptsKey, attempts, BLOCK_DURATION); + return res.status(401).json({ + error: `Invalid credentials. ${MAX_ATTEMPTS - attempts} attempt(s) remaining.`, + }); + } + } else { + return res.status(401).json({ error: 'Invalid credentials.' }); } } + // --- Step 4: If login successful, reset Redis attempts --- await setJson(attemptsKey, 0); // reset counter