From c29f87f55d05ec08fb7285d68acba211fbbabf1e Mon Sep 17 00:00:00 2001 From: Leo Hemsted Date: Wed, 19 May 2021 18:18:09 +0100 Subject: [PATCH] increment failed login count on unsuccesful webauthn login this doesn't include timeouts or other errors on the browser side - the main thing this catches is if the token doesn't belong to the user. However I'm not entirely clear if that's something that will be caught at this point, or if the browser would reject that key as it's not in the credentials passed in to the begin_authentication process. --- app/main/views/webauthn_credentials.py | 2 +- tests/app/main/views/test_webauthn_credentials.py | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/app/main/views/webauthn_credentials.py b/app/main/views/webauthn_credentials.py index ee38b65c8..5fe4c5435 100644 --- a/app/main/views/webauthn_credentials.py +++ b/app/main/views/webauthn_credentials.py @@ -119,7 +119,7 @@ def _complete_webauthn_authentication(user): except ValueError as exc: current_app.logger.info(f'User {user.id} could not sign in using their webauthn token - {exc}') flash('Security key not recognised') - # TODO: increment failed login count + user.verify_webauthn_login(is_successful=False) abort(403) diff --git a/tests/app/main/views/test_webauthn_credentials.py b/tests/app/main/views/test_webauthn_credentials.py index 573945267..da8def9eb 100644 --- a/tests/app/main/views/test_webauthn_credentials.py +++ b/tests/app/main/views/test_webauthn_credentials.py @@ -282,6 +282,7 @@ def test_complete_authentication_403s_if_key_isnt_in_users_credentials( # user has no keys in the database mocker.patch('app.user_api_client.get_webauthn_credentials_for_user', return_value=[]) mock_verify_webauthn_login = mocker.patch('app.main.views.webauthn_credentials._verify_webauthn_login') + mock_unsuccesful_login_api_call = mocker.patch('app.user_api_client.verify_webauthn_login') response = client.post(url_for('main.webauthn_complete_authentication'), data=webauthn_authentication_post_data) assert response.status_code == 403 @@ -294,6 +295,8 @@ def test_complete_authentication_403s_if_key_isnt_in_users_credentials( assert 'webauthn_authentication_state' not in session assert mock_verify_webauthn_login.called is False + # make sure we incremented the failed login count + mock_unsuccesful_login_api_call.assert_called_once_with(platform_admin_user['id'], False) def test_complete_authentication_clears_session(