Add signal for invalid login attempt

[jameshanlon]

This is a feature request. Flask-User is entirely vulnerable to brute force password attacks. However, it would be straight forward to add a signal for a failed login attempt to allow users of Flask-Login to implement a mechanism to defend against this.

[CodeRhymesLife]

We have the same issue. Adding a bit more info about our specific use case.

ACTUAL:
There isn't an easy way to react to a failed login due to an invalid password. This is important for security. We want to lock a user's account after 5 invalid password attempts but don't have a way to react to a failed login attempt.

EXPECTED:
Easy way to react to failed login due to invalid password.

PROPOSED FIX:
Update LoginForm.validate to fire signal when password verification fails.

Flask-User/flask_user/forms.py

Lines 201 to 203 in a379fa0

	# Handle successful authentication
	if user and user_manager.verify_password(self.password.data, user.password):
	return True # Successful authentication

[jameshanlon]

@drryanjames Thanks for fixing this issue. Hopefully it will be merged in soon!

[jameshanlon]

@lingthio - This issue has been open since May 2018 and represents a significant security consideration for the project. A simple fix has been made and merge request open since August 2018 by @drryanjames. Is there any reason why the fix can't be merged now?

[emin-ec]

I'm curious what the status of this issue and related PR is. This seems like a good fix. Is there a reason why it seems to have been ignored? I guess an alternative is to override the login form in flask security or other tools and react to failed logins that way. It would be nice to have an official solution though or know what the issues are in not having one.

Thanks.

[and-semakin]

I agree that this is a very important functionality. The only reason it is not yet merged is the lack of maintainers time. I plan to review and merge the PRs that have accumulated over a long time, including #230. We also need to write tests for this feature. Thank you for your patience :)