-
-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds ability to set an account lockout policy #2601
Adds ability to set an account lockout policy #2601
Conversation
@flovilmart |
|
||
describe("Account Lockout Policy: ", () => { | ||
|
||
it_exclude_dbs(['postgres'])('account should not be locked even after failed login attempts if account lockout policy is not set', done => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what's the problem with PG?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was under the impression that PG is not ready yet for testing and we are excluding test cases for PG.
Let me give the PG tests a shot and submit another pull request.
BTW: do you know if there is a workflow doc for contributing? i.e., a document that walks the contributor about the setup process, etc...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really, for PG, you need postgres > 9.4 with POSTGIS extensions loaded, and create the tables (see .travis.yml for the commands)
Current coverage is 92.11% (diff: 91.01%)@@ master #2601 diff @@
==========================================
Files 99 100 +1
Lines 12113 12282 +169
Methods 1488 1522 +34
Messages 0 0
Branches 1996 2020 +24
==========================================
+ Hits 11154 11313 +159
- Misses 959 969 +10
Partials 0 0
|
@cherukumilli updated the pull request - view changes |
@cherukumilli updated the pull request - view changes |
Seems that there is an issue with PG on your PR. I'd still like to get it up and running for that DB. you can debug the 3 failing tests
by replacing the
|
@flovilmart Is there a Contributor Workflow document that has the instructions like setting the environment variables? I wonder if I should add the instructions you provided above to the existing contributions document (https://github.com/ParsePlatform/parse-server/blob/master/CONTRIBUTING.md). It will be useful for other contributors. |
@cherukumilli you're 100% right! We should add that to this file. I'll add it |
@cherukumilli updated the pull request - view changes |
if (fieldName == '_perishable_token') { | ||
valuesArray.push(object[fieldName].iso); | ||
valuesArray.push(object[fieldName].iso); // TODO: check with @flovilmart about why .iso is needed here |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is probably an error...
Updating Also I don't see any of the other test cases using |
@cherukumilli updated the pull request - view changes |
@cherukumilli updated the pull request - view changes |
Nice PR! Was just thinking about the need for this last night! |
@cherukumilli updated the pull request - view changes |
Looking good, but change fit for it (otherwise only fit tests run :P) |
@cherukumilli updated the pull request - view changes |
Very neat feature as always @cherukumilli ! Thanks for your commitment to make it more secure! |
Thanks @flovilmart btw: I see warnings and errors like the following in my local setup for PG GeoPoint tests in file
Please see the attached file for error details after running command |
Seems ok on Travis. Did you enable the postgis extension? |
Looking very nice!! Thanks again! |
Is this going to be targeted for v2.3.0? |
We don't have a target date for the next release, as soon as all Pr are merged for 2.2.19 we'll release. |
Hi all, @cherukumilli . It seems like a locked out account although not having access to the login api still can access other classes/objects with a valid session token. Why don't we remove all the user's session token when the user is locked out? |
@flovilmart @cherukumilli @facebook-github-bot Is there a way to actually lock the user out in cloud code? |
@ederelk For example: In the scenario above, IMO,
Please let me know if you are seeing a security vulnerability that I am not seeing here. |
@cherukumilli @facebook-github-bot @flavionegrao |
This is a fix for issue #2508
Account lockout policy:
Someone who attempts to use more than a few unsuccessful passwords while trying to log on to your system might be a malicious user who is attempting to determine an account password by trial and error.
Update parse-server to track logon attempts and respond to this type of potential attack by disabling the account for a preset period of time
This setting will have 2 parameters:
Account lockout duration
The Account lockout duration policy setting determines the number of minutes that a locked-out account remains locked out before automatically becoming unlocked. The available range is from 1 through 99,999 minutes.
Account lockout threshold
The Account lockout threshold policy setting determines the number of failed sign-in attempts that will cause a user account to be locked. You can set a value from 1 through 999 failed sign-in attempts.