feat: improve lockout mechanism

Author: amcsz

intranet/apps/auth/backends.py

@@ -22,7 +22,7 @@ class PamAuthenticationResult(enum.Enum):
     FAILURE = 0  # Authentication failed
     SUCCESS = 1  # Authentication succeeded
     EXPIRED = -1  # Password expired; needs reset
-    LOCKED = -2  # User locked out due to incorrect attempts
+    LOCKED = 6  # User locked out due to incorrect attempts
 
 
 class PamAuthenticationBackend:
@@ -73,15 +73,15 @@ def pam_auth(username, password):
         realm = settings.CSL_REALM
         pam_authenticator = pam.pam()
         full_username = f"{username}@{realm}"
-        result = pam_authenticator.authenticate(full_username, password)
+        result = pam_authenticator.authenticate(full_username, password, service="ion-login")
 
         if result:
             result = PamAuthenticationResult.SUCCESS
             logger.debug("PAM authorized %s@%s", username, realm)
         else:
             logger.debug("PAM failed to authorize %s", username)
             result = PamAuthenticationResult.FAILURE
-            if "have exhausted maximum number of retries for service" in pam_authenticator.reason.lower():
+            if pam_authenticator.code == 6:
                 result = PamAuthenticationResult.LOCKED
             if "authentication token is no longer valid" in pam_authenticator.reason.lower():
                 result = PamAuthenticationResult.EXPIRED

intranet/apps/auth/views.py

@@ -152,10 +152,6 @@ def index_view(request, auth_form=None, force_login=False, added_context=None, h
         schedule = schedule_context(request)
         data.update(schedule)
 
-        if "user_locked_out" in request.session and request.session["user_locked_out"] == 1:
-            data.update({"auth_message": "You are locked out due to too many incorrect logins. Please try again later."})
-            request.session.pop("user_locked_out")
-
         if added_context is not None:
             data.update(added_context)
         return render(request, "auth/login.html", data)
@@ -177,14 +173,18 @@ def post(self, request):
         if re.search(r"^(\d{4})?[a-zA-Z]+\d?$", username) is None:
             return index_view(request, added_context={"auth_message": "Your username format is incorrect."})
 
-        form = AuthenticateForm(data=request.POST)
+        form = AuthenticateForm(request, data=request.POST)
 
         if request.session.test_cookie_worked():
             request.session.delete_test_cookie()
         else:
             logger.warning("No cookie support detected! This could cause problems.")
 
-        authenticate(request, username=username, password=request.POST.get("password", ""))
+        if request.session.get("user_locked_out", "") == 1:
+            request.session.pop("user_locked_out")
+            return index_view(request, auth_form=form, added_context={
+                "auth_message": "You are locked out due to too many incorrect logins. Please try again later."
+            })
 
         if form.is_valid():
             reset_user, _ = get_user_model().objects.get_or_create(username="RESET_PASSWORD", user_type="service", id=999999)