Incrementing of failed logins happens on api side

2026-02-05 02:42:26 -05:00 · 2016-01-26 12:32:08 +00:00
parent d89174f322
commit b394a18b4e
3 changed files with 21 additions and 21 deletions
--- a/app/main/dao/users_dao.py
+++ b/app/main/dao/users_dao.py
@@ -38,11 +38,6 @@ def verify_password(user, password):
    return user_api_client.verify_password(user, password)


-def increment_failed_login_count(id):
-    user = get_user_by_id(id)
-    user.failed_login_count += 1
-
-
 def activate_user(user):
    user.state = 'active'
    return user_api_client.update_user(user)
--- a/app/main/views/sign_in.py
+++ b/app/main/views/sign_in.py
@@ -23,20 +23,31 @@ def sign_in():
    try:
        form = LoginForm()
        if form.validate_on_submit():
-            user = users_dao.get_user_by_email(form.email_address.data)
+            user = _get_and_verify_user(form.email_address.data, form.password.data)
            if user:
-                if not user.is_locked() and user.is_active() and users_dao.verify_password(user, form.password.data):
-                    send_sms_code(user.id, user.mobile_number)
-                    session['user_email'] = user.email_address
-                    return redirect(url_for('.two_factor'))
-                else:
-                    # TODO re wire this increment to api
-                    users_dao.increment_failed_login_count(user.id)
-            # Vague error message for login
-            form.password.errors.append('Username or password is incorrect')
+                send_sms_code(user.id, user.mobile_number)
+                session['user_email'] = user.email_address
+                return redirect(url_for('.two_factor'))
+            else:
+                # Vague error message for login in case of user not known, locked, inactive or password not verified
+                form.password.errors.append('Username or password is incorrect')

        return render_template('views/signin.html', form=form)
    except:
        import traceback
        traceback.print_exc()
        abort(500)
+
+
+def _get_and_verify_user(email_address, password):
+    user = users_dao.get_user_by_email(email_address)
+    if not user:
+        return None
+    elif user.is_locked():
+        return None
+    elif not user.is_active():
+        return None
+    elif not users_dao.verify_password(user, password):
+        return None
+    else:
+        return user