Fixed brute_force vulnerability Sorcery#231

extend the account lock for subsequent failed login attempts after the initial lock period

lib/sorcery/controller/submodules/brute_force_protection.rb

@@ -26,7 +26,10 @@ module InstanceMethods
           # Runs as a hook after a failed login.
           def update_failed_logins_count!(credentials)
             user = user_class.sorcery_adapter.find_by_credentials(credentials)
-            user.register_failed_login! if user
+
+            # if the password is valid, don't extend the lock expiry. The
+            # authentication has already failed due to the lock.
+            user.register_failed_login! if user && !user.valid_password?(credentials[1])
           end
 
           # Resets the failed logins counter.

lib/sorcery/model/submodules/brute_force_protection.rb

@@ -65,7 +65,6 @@ module InstanceMethods
           # Calls 'login_lock!' if login retries limit was reached.
           def register_failed_login!
             config = sorcery_config
-            return unless login_unlocked?
 
             sorcery_adapter.increment(config.failed_logins_count_attribute_name)
 
@@ -92,14 +91,15 @@ def login_locked?
           protected
 
           def login_lock!
+            was_already_locked = !login_unlocked?
             config = sorcery_config
             attributes = { config.lock_expires_at_attribute_name => Time.now.in_time_zone + config.login_lock_time_period,
                            config.unlock_token_attribute_name => TemporaryToken.generate_random_token }
             sorcery_adapter.update_attributes(attributes)
 
             return if config.unlock_token_mailer_disabled || config.unlock_token_mailer.nil?
 
-            send_unlock_token_email!
+            send_unlock_token_email! unless was_already_locked
           end
 
           def login_unlocked?