EQMS-1402: limit password login max attempts (#10184)

Signed-off-by: Alexey Zinoviev <alexey.zinoviev@xored.com>

Author: lexiv0re

.vscode/launch.json

@@ -201,6 +201,7 @@
         "FRONT_URL": "http://huly.local:8087",
         "STATS_URL": "http://huly.local:4900",
         "MAIL_URL": "",
+        "MAX_FAILED_LOGIN_ATTEMPTS": "5",
         // "DB_NS": "account-2",
         // "WS_LIVENESS_DAYS": "1",
         // "WORKSPACE_LIMIT_PER_USER": "1",

common/config/rush/pnpm-lock.yaml

@@ -1338,7 +1338,8 @@ describe('account operations', () => {
 
     const mockDb = {
       account: {
-        findOne: jest.fn()
+        findOne: jest.fn(),
+        update: jest.fn()
       },
       person: {
         findOne: jest.fn()
@@ -1568,7 +1569,8 @@ describe('account operations', () => {
 
     const mockDb = {
       account: {
-        findOne: jest.fn()
+        findOne: jest.fn(),
+        update: jest.fn()
       },
       person: {
         findOne: jest.fn(),
@@ -2178,7 +2180,8 @@ describe('account operations', () => {
 
     const mockDb = {
       account: {
-        findOne: jest.fn()
+        findOne: jest.fn(),
+        update: jest.fn()
       },
       person: {
         findOne: jest.fn()

server/account/src/__tests__/operations.test.ts

@@ -336,6 +336,7 @@ describe('AccountPostgresDbCollection', () => {
         a.locale,
         a.automatic,
         a.max_workspaces,
+        a.failed_login_attempts,
         p.hash,
         p.salt
       FROM global_account.account as a

server/account/src/__tests__/postgres.test.ts

@@ -38,7 +38,8 @@ export function getMigrations (ns: string): [string, string][] {
     getV17Migration(ns),
     getV18Migration(ns),
     getV19Migration(ns),
-    getV20Migration(ns)
+    getV20Migration(ns),
+    getV21Migration(ns)
   ]
 }
 
@@ -568,3 +569,13 @@ function getV20Migration (ns: string): [string, string] {
     `
   ]
 }
+
+function getV21Migration (ns: string): [string, string] {
+  return [
+    'account_db_v21_add_failed_login_attempts',
+    `
+    ALTER TABLE ${ns}.account
+    ADD COLUMN IF NOT EXISTS failed_login_attempts SMALLINT DEFAULT 0;
+    `
+  ]
+}

server/account/src/collections/postgres/migrations.ts

@@ -437,6 +437,7 @@ export class AccountPostgresDbCollection
         a.locale,
         a.automatic,
         a.max_workspaces,
+        a.failed_login_attempts,
         p.hash,
         p.salt
       FROM ${this.getTableName()} as a

server/account/src/collections/postgres/postgres.ts

@@ -117,7 +117,10 @@ import {
   getWorkspacesInfoWithStatusByIds,
   doMergePersons,
   getWorkspaceJoinInfo,
-  signUpByGrant
+  signUpByGrant,
+  isAccountPasswordLocked,
+  recordFailedLoginAttempt,
+  resetFailedLoginAttempts
 } from './utils'
 
 // Note: it is IMPORTANT to always destructure params passed here to avoid sending extra params
@@ -152,6 +155,8 @@ export async function loginAsGuest (
 
 /**
  * Given an email and password, logs the user in and returns the account information and token.
+ * If the account has too many failed login attempts, password login is blocked.
+ * The user must use an alternative method (e.g., OTP) to unlock the account.
  */
 export async function login (
   ctx: MeasureContext,
@@ -184,15 +189,34 @@ export async function login (
       throw new PlatformError(new Status(Severity.ERROR, platform.status.AccountNotFound, {}))
     }
 
+    // Check if account is locked due to too many failed login attempts
+    if (isAccountPasswordLocked(existingAccount)) {
+      ctx.warn('Login attempt on locked account - password login locked', {
+        email: normalizedEmail,
+        failedAttempts: existingAccount.failedLoginAttempts
+      })
+      throw new PlatformError(
+        new Status(Severity.ERROR, platform.status.PasswordLoginLocked, { account: normalizedEmail })
+      )
+    }
+
     const person = await db.person.findOne({ uuid: emailSocialId.personUuid })
     if (person == null) {
       throw new PlatformError(new Status(Severity.ERROR, platform.status.InternalServerError, {}))
     }
 
     if (!verifyPassword(password, existingAccount.hash, existingAccount.salt)) {
+      try {
+        await recordFailedLoginAttempt(db, existingAccount.uuid)
+      } catch (err) {
+        ctx.warn('Failed to record failed login attempt', { error: err, account: existingAccount.uuid })
+      }
       throw new PlatformError(new Status(Severity.ERROR, platform.status.AccountNotFound, {}))
     }
 
+    // Successful login - reset failed attempts counter
+    await resetFailedLoginAttempts(db, existingAccount.uuid)
+
     const isConfirmed = emailSocialId.verifiedOn != null
 
     const extraToken: Record<string, string> = isAdminEmail(normalizedEmail) ? { admin: 'true' } : {}
@@ -477,6 +501,8 @@ export async function validateOtp (
       throw new PlatformError(new Status(Severity.ERROR, platform.status.InternalServerError, {}))
     }
 
+    await resetFailedLoginAttempts(db, emailSocialId.personUuid as AccountUuid)
+
     const extraToken: Record<string, string> = isAdminEmail(normalizedEmail) ? { admin: 'true' } : {}
 
     return {

server/account/src/operations.ts

@@ -64,6 +64,7 @@ export interface Account {
   hash?: Buffer | null
   salt?: Buffer | null
   maxWorkspaces?: number
+  failedLoginAttempts?: number // Number of consecutive failed login attempts
 }
 
 // TODO: type data with generic type

server/account/src/types.ts

@@ -342,6 +342,66 @@ export function verifyPassword (password: string, hash?: Buffer | null, salt?: B
   return Buffer.compare(hash as any, hashWithSalt(password, salt) as any) === 0
 }
 
+// 0 or negative value means no limit
+const maxFailedLoginAttempts =
+  process.env.MAX_FAILED_LOGIN_ATTEMPTS != null ? parseInt(process.env.MAX_FAILED_LOGIN_ATTEMPTS) : 5
+
+/**
+ * Check if an account is locked due to too many failed login attempts.
+ * An account is locked if failedLoginAttempts >= maxFailedLoginAttempts.
+ * @param account The account to check
+ * @returns true if account is locked, false otherwise
+ */
+export function isAccountPasswordLocked (account: Account): boolean {
+  if (maxFailedLoginAttempts <= 0) {
+    return false
+  }
+
+  const failedAttempts = account.failedLoginAttempts ?? 0
+
+  return failedAttempts >= maxFailedLoginAttempts
+}
+
+/**
+ * Record a failed login attempt for an account.
+ * Increments the failed attempts counter.
+ * @param db Database instance
+ * @param accountUuid Account UUID
+ */
+export async function recordFailedLoginAttempt (db: AccountDB, accountUuid: AccountUuid): Promise<void> {
+  const account = await db.account.findOne({ uuid: accountUuid })
+  if (account == null) {
+    return
+  }
+
+  const currentAttempts = account.failedLoginAttempts ?? 0
+  const newAttempts = currentAttempts + 1
+
+  await db.account.update(
+    { uuid: accountUuid },
+    {
+      failedLoginAttempts: newAttempts
+    }
+  )
+}
+
+/**
+ * Reset failed login attempts for an account.
+ * Called when:
+ * - User successfully logs in with password
+ * - User successfully authenticates via OTP or other alternative method
+ * @param db Database instance
+ * @param accountUuid Account UUID
+ */
+export async function resetFailedLoginAttempts (db: AccountDB, accountUuid: AccountUuid): Promise<void> {
+  await db.account.update(
+    { uuid: accountUuid },
+    {
+      failedLoginAttempts: 0
+    }
+  )
+}
+
 export function cleanEmail (email: string): string {
   return email.toLowerCase().trim()
 }