Chore: Add login protection when user is trying different uppercase letters (#87588)

* add login protection when the user is trying different uppercase letters
1 year ago · cd98aaf89b
parent 867d36fe59
commit cd98aaf89b
2 changed files with 30 additions and 3 deletions
--- a/pkg/services/loginattempt/loginattemptimpl/login_attempt.go
+++ b/pkg/services/loginattempt/loginattemptimpl/login_attempt.go
@ -2,6 +2,7 @@ package loginattemptimpl

 import (
 	"context"
+	"strings"
 	"time"

 	"github.com/grafana/grafana/pkg/infra/db"
@ -54,14 +55,14 @@ func (s *Service) Add(ctx context.Context, username, IPAddress string) error {
 	}

 	_, err := s.store.CreateLoginAttempt(ctx, CreateLoginAttemptCommand{
-		Username:  username,
+		Username:  strings.ToLower(username),
 		IpAddress: IPAddress,
 	})
 	return err
 }

 func (s *Service) Reset(ctx context.Context, username string) error {
-	return s.store.DeleteLoginAttempts(ctx, DeleteLoginAttemptsCommand{username})
+	return s.store.DeleteLoginAttempts(ctx, DeleteLoginAttemptsCommand{strings.ToLower(username)})
 }

 func (s *Service) Validate(ctx context.Context, username string) (bool, error) {
@ -70,7 +71,7 @@ func (s *Service) Validate(ctx context.Context, username string) (bool, error) {
 	}

 	loginAttemptCountQuery := GetUserLoginAttemptCountQuery{
-		Username: username,
+		Username: strings.ToLower(username),
 		Since:    time.Now().Add(-loginAttemptsWindow),
 	}

--- a/pkg/services/loginattempt/loginattemptimpl/login_attempt_test.go
+++ b/pkg/services/loginattempt/loginattemptimpl/login_attempt_test.go
@ -6,6 +6,7 @@ import (

 	"github.com/stretchr/testify/assert"

+	"github.com/grafana/grafana/pkg/infra/db"
 	"github.com/grafana/grafana/pkg/services/loginattempt"
 	"github.com/grafana/grafana/pkg/setting"
 )
@ -79,6 +80,31 @@ func TestService_Validate(t *testing.T) {
 	}
 }

+func TestLoginAttempts(t *testing.T) {
+	ctx := context.Background()
+	cfg := setting.NewCfg()
+	cfg.DisableBruteForceLoginProtection = false
+	db := db.InitTestDB(t)
+	service := ProvideService(db, cfg, nil)
+
+	// add multiple login attempts with different uppercases, they all should be counted as the same user
+	_ = service.Add(ctx, "admin", "[::1]")
+	_ = service.Add(ctx, "Admin", "[::1]")
+	_ = service.Add(ctx, "aDmin", "[::1]")
+	_ = service.Add(ctx, "adMin", "[::1]")
+	_ = service.Add(ctx, "admIn", "[::1]")
+	_ = service.Add(ctx, "admIN", "[::1]")
+
+	// validate the number of attempts is correct for all the different uppercases
+	count, err := service.store.GetUserLoginAttemptCount(ctx, GetUserLoginAttemptCountQuery{Username: "admin"})
+	assert.Nil(t, err)
+	assert.Equal(t, int64(6), count)
+
+	ok, err := service.Validate(ctx, "admin")
+	assert.False(t, ok)
+	assert.Nil(t, err)
+}
+
 var _ store = new(fakeStore)

 type fakeStore struct {