Add invalid attempts

cmd/dex/config.go

@@ -20,14 +20,15 @@ import (
 
 // Config is the config format for the main application.
 type Config struct {
-	Issuer    string    `json:"issuer"`
-	Storage   Storage   `json:"storage"`
-	Web       Web       `json:"web"`
-	Telemetry Telemetry `json:"telemetry"`
-	OAuth2    OAuth2    `json:"oauth2"`
-	GRPC      GRPC      `json:"grpc"`
-	Expiry    Expiry    `json:"expiry"`
-	Logger    Logger    `json:"logger"`
+	Issuer          string          `json:"issuer"`
+	Storage         Storage         `json:"storage"`
+	Web             Web             `json:"web"`
+	Telemetry       Telemetry       `json:"telemetry"`
+	OAuth2          OAuth2          `json:"oauth2"`
+	GRPC            GRPC            `json:"grpc"`
+	Expiry          Expiry          `json:"expiry"`
+	InvalidAttempts InvalidAttempts `json:"invalidAttempts`
+	Logger          Logger          `json:"logger"`
 
 	Frontend server.WebConfig `json:"frontend"`
 
@@ -291,3 +292,9 @@ type Logger struct {
 	// Format specifies the format to be used for logging.
 	Format string `json:"format"`
 }
+
+type InvalidAttempts struct {
+	EnableInvalidAttempts bool  `json:"enableInvalidAttempts"`
+	BlockDuration         int32 `json:"blockDuration"`
+	MaxAttemptsAllowed    int32 `json:"maxAttemptsAllowed"`
+}

cmd/dex/serve.go

@@ -261,6 +261,13 @@ func serve(cmd *cobra.Command, args []string) error {
 		logger.Infof("config id tokens valid for: %v", idTokens)
 		serverConfig.IDTokensValidFor = idTokens
 	}
+
+	if c.InvalidAttempts.EnableInvalidAttempts {
+		serverConfig.EnableInvalidAttempts = c.InvalidAttempts.EnableInvalidAttempts
+		serverConfig.BlockDuration = c.InvalidAttempts.BlockDuration
+		serverConfig.MaxAttemptsAllowed = c.InvalidAttempts.MaxAttemptsAllowed
+	}
+
 	if c.Expiry.AuthRequests != "" {
 		authRequests, err := time.ParseDuration(c.Expiry.AuthRequests)
 		if err != nil {

server/handlers.go

@@ -209,6 +209,53 @@ func (s *Server) discoveryHandler() (http.HandlerFunc, error) {
 	}), nil
 }
 
+func (s *Server) isFailedAttemptDurationExceeded(u storage.BlockedUser) bool {
+	if diff := time.Since(u.UpdatedAt); diff.Minutes() > float64(s.blockDuration) {
+		return true
+	}
+	return false
+}
+
+func (s *Server) resetFailedAttempt(username string, w http.ResponseWriter, r *http.Request) {
+	updater := func(u storage.BlockedUser) (storage.BlockedUser, error) {
+		u.InvalidAttemptsCount = 1
+		u.UpdatedAt = time.Now()
+		return u, nil
+	}
+
+	if err := s.storage.UpdateBlockedUser(username, updater); err != nil {
+		s.logger.Errorf("Failed to reset invalid counter: %v", err)
+		s.renderError(r, w, http.StatusInternalServerError, fmt.Sprintf("db error: %v", err))
+		return
+	}
+}
+
+func (s *Server) isAllowedFailedAttemptExceeded(u storage.BlockedUser) bool {
+	return u.InvalidAttemptsCount >= s.maxAttemptsAllowed
+}
+
+func (s *Server) isUserBlocked(u storage.BlockedUser) bool {
+	diff := time.Since(u.UpdatedAt)
+	if diff.Minutes() <= float64(s.blockDuration) && u.InvalidAttemptsCount >= s.maxAttemptsAllowed {
+		return true
+	}
+	return false
+}
+
+func (s *Server) updateInvalidAttemptCount(username string, w http.ResponseWriter, r *http.Request) {
+	updater := func(u storage.BlockedUser) (storage.BlockedUser, error) {
+		u.InvalidAttemptsCount = u.InvalidAttemptsCount + 1
+		u.UpdatedAt = time.Now()
+		return u, nil
+	}
+
+	if err := s.storage.UpdateBlockedUser(username, updater); err != nil {
+		s.logger.Errorf("Failed to increment invalid counter: %v", err)
+		s.renderError(r, w, http.StatusInternalServerError, fmt.Sprintf("db error: %v", err))
+		return
+	}
+}
+
 // handleAuthorization handles the OAuth2 auth endpoint.
 func (s *Server) handleAuthorization(w http.ResponseWriter, r *http.Request) {
 	authReq, err := s.parseAuthorizationRequest(r)
@@ -351,7 +398,7 @@ func (s *Server) handleConnectorLogin(w http.ResponseWriter, r *http.Request) {
 			}
 			http.Redirect(w, r, callbackURL, http.StatusFound)
 		case connector.PasswordConnector:
-			if err := s.templates.password(r, w, r.URL.String(), "", usernamePrompt(conn), false, showBacklink); err != nil {
+			if err := s.templates.password(r, w, r.URL.String(), "", usernamePrompt(conn), false, showBacklink, 0, s.maxAttemptsAllowed, s.blockDuration); err != nil {
 				s.logger.Errorf("Server template error: %v", err)
 			}
 		case connector.SAMLConnector:
@@ -392,25 +439,86 @@ func (s *Server) handleConnectorLogin(w http.ResponseWriter, r *http.Request) {
 		username := r.FormValue("login")
 		password := r.FormValue("password")
 
+		//check if username is in blocked_user table
+		blockedUser, err := s.storage.GetBlockedUser(username)
+		if err != nil {
+			s.logger.Errorf("Failed to get blocked user: %v", err)
+			s.renderError(r, w, http.StatusInternalServerError, fmt.Sprintf("Failed to get blocked user: %v", err))
+			return
+		}
+
+		if s.isUserBlocked(blockedUser) {
+			s.logger.Errorf("User is blocked")
+			if err := s.templates.password(r, w, r.URL.String(), username, usernamePrompt(passwordConnector), true, showBacklink, blockedUser.InvalidAttemptsCount, s.maxAttemptsAllowed, s.blockDuration); err != nil {
+				s.logger.Errorf("Server template error: %v", err)
+			}
+			return
+		}
+
 		identity, ok, err := passwordConnector.Login(r.Context(), scopes, username, password)
 		if err != nil {
 			s.logger.Errorf("Failed to login user: %v", err)
 			s.renderError(r, w, http.StatusInternalServerError, fmt.Sprintf("Login error: %v", err))
 			return
 		}
 		if !ok {
-			if err := s.templates.password(r, w, r.URL.String(), username, usernamePrompt(passwordConnector), true, showBacklink); err != nil {
+			if blockedUser.Username != username {
+				//create blocked user
+				err := s.storage.CreateBlockedUser(storage.BlockedUser{
+					Username:             username,
+					InvalidAttemptsCount: 1,
+					UpdatedAt:            time.Now(),
+				})
+
+				if err != nil {
+					s.logger.Errorf("Failed to create blocked user: %v", err)
+					s.renderError(r, w, http.StatusInternalServerError, "db error.")
+					return
+				}
+
+				if err := s.templates.password(r, w, r.URL.String(), username, usernamePrompt(passwordConnector), true, showBacklink, 1, s.maxAttemptsAllowed, s.blockDuration); err != nil {
+					s.logger.Errorf("Server template error: %v", err)
+				}
+				return
+			}
+
+			if s.isFailedAttemptDurationExceeded(blockedUser) {
+				s.resetFailedAttempt(username, w, r)
+				if err := s.templates.password(r, w, r.URL.String(), username, usernamePrompt(passwordConnector), true, showBacklink, 1, s.maxAttemptsAllowed, s.blockDuration); err != nil {
+					s.logger.Errorf("Server template error: %v", err)
+				}
+				return
+			}
+
+			if s.isAllowedFailedAttemptExceeded(blockedUser) {
+				s.logger.Errorf("User is blocked: %v", blockedUser.InvalidAttemptsCount)
+				if err := s.templates.password(r, w, r.URL.String(), username, usernamePrompt(passwordConnector), true, showBacklink, blockedUser.InvalidAttemptsCount, s.maxAttemptsAllowed, s.blockDuration); err != nil {
+					s.logger.Errorf("Server template error: %v", err)
+				}
+				return
+			}
+
+			s.updateInvalidAttemptCount(username, w, r)
+
+			if err := s.templates.password(r, w, r.URL.String(), username, usernamePrompt(passwordConnector), true, showBacklink, blockedUser.InvalidAttemptsCount+1, s.maxAttemptsAllowed, s.blockDuration); err != nil {
 				s.logger.Errorf("Server template error: %v", err)
 			}
 			return
 		}
+
 		redirectURL, err := s.finalizeLogin(identity, authReq, conn.Connector)
 		if err != nil {
 			s.logger.Errorf("Failed to finalize login: %v", err)
 			s.renderError(r, w, http.StatusInternalServerError, "Login error.")
 			return
 		}
 
+		if err := s.storage.DeleteBlockedUser(username); err != nil && err != storage.ErrNotFound {
+			s.logger.Errorf("Failed to delete blocked user: %v", err)
+			s.renderError(r, w, http.StatusInternalServerError, "db error.")
+			return
+		}
+
 		http.Redirect(w, r, redirectURL, http.StatusSeeOther)
 	default:
 		s.renderError(r, w, http.StatusBadRequest, "Unsupported request method.")

server/server.go

@@ -80,6 +80,10 @@ type Config struct {
 	IDTokensValidFor       time.Duration // Defaults to 24 hours
 	AuthRequestsValidFor   time.Duration // Defaults to 24 hours
 	DeviceRequestsValidFor time.Duration // Defaults to 5 minutes
+
+	EnableInvalidAttempts bool
+	BlockDuration         int32
+	MaxAttemptsAllowed    int32
 	// If set, the server will use this connector to handle password grants
 	PasswordConnector string
 
@@ -162,6 +166,10 @@ type Server struct {
 	authRequestsValidFor   time.Duration
 	deviceRequestsValidFor time.Duration
 
+	enableInvalidAttempts bool
+	blockDuration         int32
+	maxAttemptsAllowed    int32
+
 	logger log.Logger
 }
 
@@ -236,6 +244,9 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
 		templates:              tmpls,
 		passwordConnector:      c.PasswordConnector,
 		logger:                 c.Logger,
+		enableInvalidAttempts:  c.EnableInvalidAttempts,
+		blockDuration:          c.BlockDuration,
+		maxAttemptsAllowed:     c.MaxAttemptsAllowed,
 	}
 
 	// Retrieves connector objects in backend storage. This list includes the static connectors

server/templates.go

@@ -284,15 +284,18 @@ func (t *templates) login(r *http.Request, w http.ResponseWriter, connectors []c
 	return renderTemplate(w, t.loginTmpl, data)
 }
 
-func (t *templates) password(r *http.Request, w http.ResponseWriter, postURL, lastUsername, usernamePrompt string, lastWasInvalid, showBacklink bool) error {
+func (t *templates) password(r *http.Request, w http.ResponseWriter, postURL, lastUsername, usernamePrompt string, lastWasInvalid, showBacklink bool, invalidAttemptsCount int32, maxAttemptsAllowed int32, blockDuration int32) error {
 	data := struct {
-		PostURL        string
-		BackLink       bool
-		Username       string
-		UsernamePrompt string
-		Invalid        bool
-		ReqPath        string
-	}{postURL, showBacklink, lastUsername, usernamePrompt, lastWasInvalid, r.URL.Path}
+		PostURL              string
+		BackLink             bool
+		Username             string
+		UsernamePrompt       string
+		Invalid              bool
+		ReqPath              string
+		InvalidAttemptsCount int32
+		MaxAttemptsAllowed   int32
+		BlockDuration        int32
+	}{postURL, showBacklink, lastUsername, usernamePrompt, lastWasInvalid, r.URL.Path, invalidAttemptsCount, maxAttemptsAllowed, blockDuration}
 	return renderTemplate(w, t.passwordTmpl, data)
 }
 

storage/etcd/etcd.go

@@ -19,6 +19,7 @@ const (
 	refreshTokenPrefix   = "refresh_token/"
 	authRequestPrefix    = "auth_req/"
 	passwordPrefix       = "password/"
+	blockedUserPrefix    = "blocked_user/"
 	offlineSessionPrefix = "offline_session/"
 	connectorPrefix      = "connector/"
 	keysName             = "openid-connect-keys"
@@ -283,13 +284,26 @@ func (c *conn) CreatePassword(p storage.Password) error {
 	return c.txnCreate(ctx, passwordPrefix+strings.ToLower(p.Email), p)
 }
 
+func (c *conn) CreateBlockedUser(u storage.BlockedUser) error {
+	ctx, cancel := context.WithTimeout(context.Background(), defaultStorageTimeout)
+	defer cancel()
+	return c.txnCreate(ctx, blockedUserPrefix+strings.ToLower(u.Username), u)
+}
+
 func (c *conn) GetPassword(email string) (p storage.Password, err error) {
 	ctx, cancel := context.WithTimeout(context.Background(), defaultStorageTimeout)
 	defer cancel()
 	err = c.getKey(ctx, keyEmail(passwordPrefix, email), &p)
 	return p, err
 }
 
+func (c *conn) GetBlockedUser(username string) (u storage.BlockedUser, err error) {
+	ctx, cancel := context.WithTimeout(context.Background(), defaultStorageTimeout)
+	defer cancel()
+	err = c.getKey(ctx, keyUsername(blockedUserPrefix, username), &u)
+	return u, err
+}
+
 func (c *conn) UpdatePassword(email string, updater func(p storage.Password) (storage.Password, error)) error {
 	ctx, cancel := context.WithTimeout(context.Background(), defaultStorageTimeout)
 	defer cancel()
@@ -308,12 +322,36 @@ func (c *conn) UpdatePassword(email string, updater func(p storage.Password) (st
 	})
 }
 
+func (c *conn) UpdateBlockedUser(username string, updater func(p storage.BlockedUser) (storage.BlockedUser, error)) error {
+	ctx, cancel := context.WithTimeout(context.Background(), defaultStorageTimeout)
+	defer cancel()
+	return c.txnUpdate(ctx, keyEmail(blockedUserPrefix, username), func(currentValue []byte) ([]byte, error) {
+		var current storage.BlockedUser
+		if len(currentValue) > 0 {
+			if err := json.Unmarshal(currentValue, &current); err != nil {
+				return nil, err
+			}
+		}
+		updated, err := updater(current)
+		if err != nil {
+			return nil, err
+		}
+		return json.Marshal(updated)
+	})
+}
+
 func (c *conn) DeletePassword(email string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), defaultStorageTimeout)
 	defer cancel()
 	return c.deleteKey(ctx, keyEmail(passwordPrefix, email))
 }
 
+func (c *conn) DeleteBlockedUser(username string) error {
+	ctx, cancel := context.WithTimeout(context.Background(), defaultStorageTimeout)
+	defer cancel()
+	return c.deleteKey(ctx, keyEmail(blockedUserPrefix, username))
+}
+
 func (c *conn) ListPasswords() (passwords []storage.Password, err error) {
 	ctx, cancel := context.WithTimeout(context.Background(), defaultStorageTimeout)
 	defer cancel()
@@ -558,8 +596,9 @@ func (c *conn) txnUpdate(ctx context.Context, key string, update func(current []
 	return nil
 }
 
-func keyID(prefix, id string) string       { return prefix + id }
-func keyEmail(prefix, email string) string { return prefix + strings.ToLower(email) }
+func keyID(prefix, id string) string             { return prefix + id }
+func keyEmail(prefix, email string) string       { return prefix + strings.ToLower(email) }
+func keyUsername(prefix, username string) string { return prefix + strings.ToLower(username) }
 func keySession(prefix, userID, connID string) string {
 	return prefix + strings.ToLower(userID+"|"+connID)
 }