fix : users are locked after three failed login attempts.

2025-10-21 16:41:54 +05:30
parent 75ebcf8407
commit 96af9ff264
1 changed files with 30 additions and 35 deletions
--- a/src/controllers/auth.controller.js
+++ b/src/controllers/auth.controller.js
@@ -24,18 +24,19 @@ async function login(req, res) {
    // --- Step 1: Check if user is already locked ---
    const blockedKey = `login:blocked:${customerNo}`;
    const attemptsKey = `login:attempts:${customerNo}`;
-    console.log("hi",blockedKey);
-    console.log("attempt Key",attemptsKey);

    
-    // check DB locked flag
    const userCheck = await authService.findUserByCustomerNo(customerNo);
+
+    if (loginType.toUpperCase() === 'IB') {
+      // check DB locked flag
      if (userCheck && userCheck.locked) {
        await setJson(blockedKey, true, BLOCK_DURATION);
        return res.status(423).json({
          error: 'Your account is locked. Please contact the administrator.',
        });
      }
+    }

    // --- Step 2: Check migration status
    const isMigratedUser = await authService.isMigratedUser(customerNo);
@@ -46,35 +47,29 @@ async function login(req, res) {
    const user = await authService.validateUser(customerNo, password);

    if (!user) {
-      // Invalid credentials: increment Redis counter
+      if (loginType.toUpperCase() === 'IB') {
        let attempts = (await getJson(attemptsKey)) || 0;
        attempts += 1;

        if (attempts >= MAX_ATTEMPTS) {
-        // lock the account in DB
          await db.query('UPDATE users SET locked = true WHERE customer_no = $1', [customerNo]);
-
-        // mark as blocked in Redis
          await setJson(blockedKey, true, BLOCK_DURATION);
-
-        // clear attempts counter
          await setJson(attemptsKey, 0);

-        logger.warn(`User ${customerNo} account locked after ${MAX_ATTEMPTS} failed attempts.`);
-
          return res.status(423).json({
            error: 'Your account has been locked due to multiple failed login attempts. Please contact the administrator.',
          });
-      } 
-      else {
-        // Save the incremented attempt count with TTL (optional 15 mins)
+        } else {
          await setJson(attemptsKey, attempts, BLOCK_DURATION);
-
          return res.status(401).json({
            error: `Invalid credentials. ${MAX_ATTEMPTS - attempts} attempt(s) remaining.`,
          });
        }
+      } else {
+        return res.status(401).json({ error: 'Invalid credentials.' });
      }
+    }
+

    // --- Step 4: If login successful, reset Redis attempts ---
    await setJson(attemptsKey, 0); // reset counter