Fix brute force vuln due to callbacks not being ran (#235)

The authenticate method previously would return before callbacks executed if an invalid password was provided, which causes the brute force protection to only work for the first lockout period, and only resets after a successful login. Fixes #231
Sorcery · May 2, 2020 · 0f116d2 · 0f116d2
1 parent 6b72ca3
commit 0f116d2
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/lib/sorcery/model.rb b/lib/sorcery/model.rb
@@ -102,10 +102,6 @@ def authenticate(*credentials, &block)
 
         set_encryption_attributes
 
-        unless user.valid_password?(credentials[1])
-          return authentication_response(user: user, failure: :invalid_password, &block)
-        end
-
         if user.respond_to?(:active_for_authentication?) && !user.active_for_authentication?
           return authentication_response(user: user, failure: :inactive, &block)
         end
@@ -118,6 +114,10 @@ def authenticate(*credentials, &block)
           end
         end
 
+        unless user.valid_password?(credentials[1])
+          return authentication_response(user: user, failure: :invalid_password, &block)
+        end
+
         authentication_response(user: user, return_value: user, &block)
       end