diff --git a/lib/sorcery/controller/submodules/brute_force_protection.rb b/lib/sorcery/controller/submodules/brute_force_protection.rb index 67b12f87..8176731b 100644 --- a/lib/sorcery/controller/submodules/brute_force_protection.rb +++ b/lib/sorcery/controller/submodules/brute_force_protection.rb @@ -26,7 +26,10 @@ module InstanceMethods # Runs as a hook after a failed login. def update_failed_logins_count!(credentials) user = user_class.sorcery_adapter.find_by_credentials(credentials) - user.register_failed_login! if user + + # if the password is valid, don't extend the lock expiry. The + # authentication has already failed due to the lock. + user.register_failed_login! if user && !user.valid_password?(credentials[1]) end # Resets the failed logins counter. diff --git a/lib/sorcery/model/submodules/brute_force_protection.rb b/lib/sorcery/model/submodules/brute_force_protection.rb index 18c55074..c6802797 100644 --- a/lib/sorcery/model/submodules/brute_force_protection.rb +++ b/lib/sorcery/model/submodules/brute_force_protection.rb @@ -65,7 +65,6 @@ module InstanceMethods # Calls 'login_lock!' if login retries limit was reached. def register_failed_login! config = sorcery_config - return unless login_unlocked? sorcery_adapter.increment(config.failed_logins_count_attribute_name) @@ -92,6 +91,7 @@ def login_locked? protected def login_lock! + was_already_locked = !login_unlocked? config = sorcery_config attributes = { config.lock_expires_at_attribute_name => Time.now.in_time_zone + config.login_lock_time_period, config.unlock_token_attribute_name => TemporaryToken.generate_random_token } @@ -99,7 +99,7 @@ def login_lock! return if config.unlock_token_mailer_disabled || config.unlock_token_mailer.nil? - send_unlock_token_email! + send_unlock_token_email! unless was_already_locked end def login_unlocked?