Merge pull request #1027 from hpcc-systems/yadhap/lock-users-after-invalid-login-attemtps

FancMa01 · web-flow · commit 611135c41895 · 2025-02-26T10:41:56.000-07:00
Lock Account After 5 Invalid Login Attempt
diff --git a/Tombolo/server/controllers/authController.js b/Tombolo/server/controllers/authController.js
@@ -19,6 +19,7 @@ const {
   generateAndSetCSRFToken,
   setPreviousPasswords,
   setLastLogin,
+  handleInvalidLoginAttempt
 } = require("../utils/authUtil");
 const { blacklistToken } = require("../utils/tokenBlackListing");
 const sequelize = require("../models").sequelize;
@@ -662,6 +663,21 @@ const loginBasicUser = async (req, res, next) => {
       });
     }
 
+    // If the accountLocked.isLocked is true, return generic error
+    if (user.accountLocked.isLocked) {
+      logger.error(`Login : Login Attempt by user with locked account ${email}`);
+      return res.status(403).json({
+        success: false,
+        message: genericError,
+      });
+    }
+    
+    //Compare password
+    if (!bcrypt.compareSync(password, user.hash)) {
+      logger.error(`Login : Invalid password for user with email ${email}`); 
+      await handleInvalidLoginAttempt({user, errMessage: genericError})
+    }
+
     // If not verified user return error
     if (!user.verifiedUser) {
       logger.error(`Login : Login attempt by unverified user - ${user.id}`);
@@ -678,9 +694,6 @@ const loginBasicUser = async (req, res, next) => {
         `Login : Login attempt by user with expired password - ${user.id}`
       );
 
-      //send password expired email
-      // await sendPasswordExpiredEmail(user);
-
       res.status(401).json({
         success: false,
         message: "password-expired",
@@ -713,15 +726,7 @@ const loginBasicUser = async (req, res, next) => {
       azureError.status = 403;
       throw azureError;
     }
-    //Compare password
-    if (!bcrypt.compareSync(password, user.hash)) {
-      logger.error(`Login : Invalid password for user with email ${email}`);
 
-      // Incorrect E-mail password combination error
-      const invalidCredentialsErr = new Error(genericError);
-      invalidCredentialsErr.status = 403;
-      throw invalidCredentialsErr;
-    }
     // Remove hash from use object
     const userObj = user.toJSON();
     delete userObj.hash;
@@ -772,7 +777,7 @@ const loginBasicUser = async (req, res, next) => {
     }
     res
       .status(err.status || 500)
-      .json({ success: false, message: err.message });
+      .json({ success: false, message: err.message});
   }
 };
 
diff --git a/Tombolo/server/migrations/20220507024001-create-user.js b/Tombolo/server/migrations/20220507024001-create-user.js
@@ -60,6 +60,18 @@ module.exports = {
         type: Sequelize.DATE,
         allowNull: true,
       },
+      loginAttempts: {
+        type: Sequelize.INTEGER,
+        allowNull: false,
+        defaultValue: 0,
+      },
+      accountLocked: {
+        type: Sequelize.JSON,
+        defaultValue: {
+          isLocked: false,
+          lockedReason: [],
+        },
+      },
       lastLoginAt: {
         type: Sequelize.DATE,
         allowNull: true,
diff --git a/Tombolo/server/models/user.js b/Tombolo/server/models/user.js
@@ -63,6 +63,19 @@ module.exports = (sequelize, DataTypes) => {
         type: DataTypes.DATE,
         allowNull: true,
       },
+      loginAttempts: {
+        type: DataTypes.INTEGER,
+        allowNull: false,
+        defaultValue: 0,
+      },
+      accountLocked: {
+        type: DataTypes.JSON,
+        allowNull: true,
+        defaultValue: {
+          isLocked: false,
+          lockedReason: [],
+        },
+      },
       lastLoginAt: {
         type: DataTypes.DATE,
         allowNull: true,
diff --git a/Tombolo/server/notificationTemplates/email/accountLocked.ejs b/Tombolo/server/notificationTemplates/email/accountLocked.ejs
@@ -0,0 +1,80 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+  <style>
+    .main_body {
+      width: 100%;
+      border-bottom: 1px solid lightgray !important;
+    }
+
+    .section-footer-td {
+      color: #808080;
+      border-top: 1px solid #808080;
+    }
+
+    .section-header-td {
+      padding-top: 8px;
+      padding-bottom: 8px;
+    }
+
+    .list {
+      padding: 10px;
+    }
+
+    .tabbedText {
+      padding-left: 40px;
+    }
+
+    .bold-text {
+      font-weight: bold;
+    }
+
+    .important-text {
+      color: #ff0000;
+    }
+  </style>
+</head>
+
+<body>
+  <table class="main_body">
+    <tbody>
+      <tr>
+        <td>
+          <table>
+            <tbody>
+              <tr>
+                <td class="section-header-td">
+                  <div>Hello <%= userName %>,</div>
+                  <div>
+                    <p>
+                      Your <span class="important-text">account has been locked </span> due to exceeding the maximum number of <span class="important-text"> unsuccessful login attempts</span>. For security reasons, access to your account has been temporarily restricted.
+                    </p>
+                    <p>
+                      To restore access, please reach out to your administrator for assistance. You can contact the following for support: </p>
+                    <div class="tabbedText">
+                      <% if (typeof supportEmailRecipients !== 'undefined') { %>
+                      <% supportEmailRecipients.forEach(function(e) { %>
+                      <div class="tabbedText"><%= e %></div>
+                      <% }); %>
+                    </div>
+                  </div>
+                  <% } %>
+                </td>
+              </tr>
+
+              <tr>
+                <td class="section-header-td">
+                  <div>Best Regards,</div>
+                  <div>Tombolo</div>
+                </td>
+              </tr>
+            </tbody>
+          </table>
+        </td>
+      </tr>
+    </tbody>
+  </table>
+</body>
+
+</html>
diff --git a/Tombolo/server/utils/authUtil.js b/Tombolo/server/utils/authUtil.js
@@ -2,6 +2,7 @@
 const jwt = require("jsonwebtoken");
 const { v4: uuidv4 } = require("uuid");
 const { Op } = require("sequelize");
+const moment = require("moment");
 
 // Local Imports
 const logger = require("../config/logger");
@@ -384,6 +385,7 @@ const setLastLogin = async (user) => {
 
   const updatedUser = await User.update(
     {
+      loginAttempts: 0,
       lastLoginAt: date,
       metaData: {
         ...user.metaData,
@@ -409,6 +411,67 @@ const setLastLogin = async (user) => {
   return;
 };
 
+// Record failed login attempt
+const handleInvalidLoginAttempt = async ({user, errMessage}) => {
+  const loginAttempts = user.loginAttempts + 1;
+  const accountLocked = user.accountLocked;
+
+  if (loginAttempts === 5) {
+    const newAccLockedData = {
+      isLocked: true,
+      lockedReason: [...new Set([...accountLocked.lockedReason, "reachedMaxLoginAttempts"])],
+    };
+
+    // Update user record
+    await User.update(
+      {
+        loginAttempts: loginAttempts,
+        accountLocked: newAccLockedData,
+      },
+      { where: { id: user.id } }
+    );
+
+    // Queue notification
+    await sendAccountLockedEmail(user);
+  }else{
+    // Update user record
+    await User.update({loginAttempts: loginAttempts},
+      { where: { id: user.id } }
+    );
+  }
+
+  // Incorrect E-mail password combination error
+  const invalidCredentialsErr = new Error(errMessage);
+  invalidCredentialsErr.status = 403;
+  throw invalidCredentialsErr;
+};
+
+// Function to send account locked email
+const sendAccountLockedEmail = async (user) => {
+  // Get support email recipients
+  const supportEmailRecipients = await getSupportContactEmails();
+
+  await NotificationQueue.create({
+    type: "email",
+    templateName: "accountLocked",
+    notificationOrigin: "User Authentication",
+    deliveryType: "immediate",
+    metaData: {
+      notificationId: `ACC_LOCKED_${moment().format("YYYYMMDD_HHmmss_SSS")}`,
+      recipientName: user.firstName,
+      notificationOrigin: "User Authentication",
+      subject: "Your account has been locked",
+      mainRecipients: [user.email],
+      notificationDescription:
+        "Account locked because of too many failed login attempts",
+      userName: user.firstName,
+      userEmail: user.email,
+      supportEmailRecipients,
+    },
+    createdBy: user.id,
+  });
+};
+
 const deleteUser = async (id, reason) => {
   try {
     if (!reason || reason === "") {
@@ -472,5 +535,6 @@ module.exports = {
   generatePassword,
   setLastLogin,
   setLastLoginAndReturn,
+  handleInvalidLoginAttempt,
   deleteUser,
 };
