security: implement user lockout (#1552)

* add data-types required for login security * implement user lockout checking at login * cleanup legacy patterns * expose passwords in test_user * test user lockout after bad attempts * test user service * bump alembic version * save increment to database * add locked_at to datetime transformer on import * do proper test cleanup * implement scheduled task * spelling * document env variables * implement context manager for session * use context manager * implement reset script * cleanup generator * run generator * implement API endpoint for resetting locked users * add button to reset all locked users * add info when account is locked * use ignore instead of expect-error
2025-08-04 21:15:22 +02:00 · 2022-08-13 13:18:12 -08:00 · 2022-08-13 13:18:12 -08:00 · b3c41a4bd0
commit b3c41a4bd0
parent ca64584fd1
35 changed files with 450 additions and 46 deletions
--- a/frontend/api/admin/admin-users.ts
+++ b/frontend/api/admin/admin-users.ts
@ -1,14 +1,19 @@
 import { BaseCRUDAPI } from "../_base";
-import { UserIn, UserOut } from "~/types/api-types/user";
+import { UnlockResults, UserIn, UserOut } from "~/types/api-types/user";

 const prefix = "/api";

 const routes = {
  adminUsers: `${prefix}/admin/users`,
  adminUsersId: (tag: string) => `${prefix}/admin/users/${tag}`,
+  adminResetLockedUsers: (force: boolean) => `${prefix}/admin/users/unlock?force=${force ? "true" : "false"}`,
 };

 export class AdminUsersApi extends BaseCRUDAPI<UserIn, UserOut, UserOut> {
  baseRoute: string = routes.adminUsers;
  itemRoute = routes.adminUsersId;
+
+  async unlockAllUsers(force = false) {
+    return await this.requests.post<UnlockResults>(routes.adminResetLockedUsers(force), {});
+  }
 }
--- a/frontend/pages/admin/manage/users/index.vue
+++ b/frontend/pages/admin/manage/users/index.vue
@ -10,9 +10,22 @@
    <BaseCardSectionTitle title="User Management"> </BaseCardSectionTitle>
    <section>
      <v-toolbar color="background" flat class="justify-between">
-        <BaseButton to="/admin/manage/users/create">
+        <BaseButton to="/admin/manage/users/create" class="mr-2">
          {{ $t("general.create") }}
        </BaseButton>
+
+        <BaseOverflowButton
+          mode="event"
+          :items="[
+            {
+              text: 'Reset Locked Users',
+              icon: $globals.icons.lock,
+              event: 'unlock-all-users',
+            },
+          ]"
+          @unlock-all-users="unlockAllUsers"
+        >
+        </BaseOverflowButton>
      </v-toolbar>
      <v-data-table
        :headers="headers"
@ -53,14 +66,15 @@

 <script lang="ts">
 import { defineComponent, reactive, ref, toRefs, useContext, useRouter } from "@nuxtjs/composition-api";
-import { useUserApi } from "~/composables/api";
+import { useAdminApi } from "~/composables/api";
+import { alert } from "~/composables/use-toast";
 import { useUser, useAllUsers } from "~/composables/use-user";
 import { UserOut } from "~/types/api-types/user";

 export default defineComponent({
  layout: "admin",
  setup() {
-    const api = useUserApi();
+    const api = useAdminApi();
    const refUserDialog = ref();

    const { i18n } = useContext();
@ -97,9 +111,20 @@ export default defineComponent({
      { text: i18n.t("general.delete"), value: "actions", sortable: false, align: "center" },
    ];

+    async function unlockAllUsers(): Promise<void> {
+      const { data } = await api.users.unlockAllUsers(true);
+
+      if (data) {
+        const unlocked = data.unlocked ?? 0;
+
+        alert.success(`${unlocked} user(s) unlocked`);
+        refreshAllUsers();
+      }
+    }
+
    return {
+      unlockAllUsers,
      ...toRefs(state),
-      api,
      headers,
      deleteUser,
      loading,
--- a/frontend/pages/login.vue
+++ b/frontend/pages/login.vue
@ -157,9 +157,12 @@ export default defineComponent({
        // See https://github.com/nuxt-community/axios-module/issues/550
        // Import $axios from useContext()
        // if ($axios.isAxiosError(error) && error.response?.status === 401) {
-        // @ts-ignore - see above
+        // @ts-ignore- see above
        if (error.response?.status === 401) {
          alert.error("Invalid Credentials");
+          // @ts-ignore - see above
+        } else if (error.response?.status === 423) {
+          alert.error("Account Locked. Please try again later");
        } else {
          alert.error("Something Went Wrong!");
        }
--- a/frontend/types/api-types/admin.ts
+++ b/frontend/types/api-types/admin.ts
@ -101,6 +101,8 @@ export interface RecipeSummary {
  recipeIngredient?: RecipeIngredient[];
  dateAdded?: string;
  dateUpdated?: string;
+  createdAt?: string;
+  updateAt?: string;
 }
 export interface RecipeCategory {
  id?: string;
@ -135,6 +137,8 @@ export interface IngredientUnit {
  abbreviation?: string;
  useAbbreviation?: boolean;
  id: string;
+  createdAt?: string;
+  updateAt?: string;
 }
 export interface CreateIngredientUnit {
  name: string;
@ -149,6 +153,8 @@ export interface IngredientFood {
  labelId?: string;
  id: string;
  label?: MultiPurposeLabelSummary;
+  createdAt?: string;
+  updateAt?: string;
 }
 export interface MultiPurposeLabelSummary {
  name: string;
--- a/frontend/types/api-types/cookbook.ts
+++ b/frontend/types/api-types/cookbook.ts
@ -86,6 +86,8 @@ export interface RecipeSummary {
  recipeIngredient?: RecipeIngredient[];
  dateAdded?: string;
  dateUpdated?: string;
+  createdAt?: string;
+  updateAt?: string;
 }
 export interface RecipeCategory {
  id?: string;
@ -114,6 +116,8 @@ export interface IngredientUnit {
  abbreviation?: string;
  useAbbreviation?: boolean;
  id: string;
+  createdAt?: string;
+  updateAt?: string;
 }
 export interface CreateIngredientUnit {
  name: string;
@ -128,6 +132,8 @@ export interface IngredientFood {
  labelId?: string;
  id: string;
  label?: MultiPurposeLabelSummary;
+  createdAt?: string;
+  updateAt?: string;
 }
 export interface MultiPurposeLabelSummary {
  name: string;
--- a/frontend/types/api-types/group.ts
+++ b/frontend/types/api-types/group.ts
@ -197,6 +197,8 @@ export interface IngredientFood {
  labelId?: string;
  id: string;
  label?: MultiPurposeLabelSummary;
+  createdAt?: string;
+  updateAt?: string;
 }
 export interface MultiPurposeLabelSummary {
  name: string;
@ -211,6 +213,8 @@ export interface IngredientUnit {
  abbreviation?: string;
  useAbbreviation?: boolean;
  id: string;
+  createdAt?: string;
+  updateAt?: string;
 }
 export interface ReadGroupPreferences {
  privateGroup?: boolean;
@ -259,6 +263,8 @@ export interface RecipeSummary {
  recipeIngredient?: RecipeIngredient[];
  dateAdded?: string;
  dateUpdated?: string;
+  createdAt?: string;
+  updateAt?: string;
 }
 export interface RecipeCategory {
  id?: string;
@ -322,6 +328,8 @@ export interface SetPermissions {
 }
 export interface ShoppingListCreate {
  name?: string;
+  createdAt?: string;
+  updateAt?: string;
 }
 export interface ShoppingListItemCreate {
  shoppingListId: string;
@ -336,6 +344,8 @@ export interface ShoppingListItemCreate {
  food?: IngredientFood;
  labelId?: string;
  recipeReferences?: ShoppingListItemRecipeRef[];
+  createdAt?: string;
+  updateAt?: string;
 }
 export interface ShoppingListItemRecipeRef {
  recipeId: string;
@ -353,7 +363,9 @@ export interface ShoppingListItemOut {
  foodId?: string;
  food?: IngredientFood;
  labelId?: string;
-  recipeReferences?: ShoppingListItemRecipeRefOut[];
+  recipeReferences?: (ShoppingListItemRecipeRef | ShoppingListItemRecipeRefOut)[];
+  createdAt?: string;
+  updateAt?: string;
  id: string;
  label?: MultiPurposeLabelSummary;
 }
@ -376,10 +388,14 @@ export interface ShoppingListItemUpdate {
  food?: IngredientFood;
  labelId?: string;
  recipeReferences?: ShoppingListItemRecipeRef[];
+  createdAt?: string;
+  updateAt?: string;
  id: string;
 }
 export interface ShoppingListOut {
  name?: string;
+  createdAt?: string;
+  updateAt?: string;
  groupId: string;
  id: string;
  listItems?: ShoppingListItemOut[];
@ -394,15 +410,21 @@ export interface ShoppingListRecipeRefOut {
 }
 export interface ShoppingListSave {
  name?: string;
+  createdAt?: string;
+  updateAt?: string;
  groupId: string;
 }
 export interface ShoppingListSummary {
  name?: string;
+  createdAt?: string;
+  updateAt?: string;
  groupId: string;
  id: string;
 }
 export interface ShoppingListUpdate {
  name?: string;
+  createdAt?: string;
+  updateAt?: string;
  groupId: string;
  id: string;
  listItems?: ShoppingListItemOut[];
--- a/frontend/types/api-types/meal-plan.ts
+++ b/frontend/types/api-types/meal-plan.ts
@ -116,6 +116,8 @@ export interface RecipeSummary {
  recipeIngredient?: RecipeIngredient[];
  dateAdded?: string;
  dateUpdated?: string;
+  createdAt?: string;
+  updateAt?: string;
 }
 export interface RecipeCategory {
  id?: string;
@ -150,6 +152,8 @@ export interface IngredientUnit {
  abbreviation?: string;
  useAbbreviation?: boolean;
  id: string;
+  createdAt?: string;
+  updateAt?: string;
 }
 export interface CreateIngredientUnit {
  name: string;
@ -164,6 +168,8 @@ export interface IngredientFood {
  labelId?: string;
  id: string;
  label?: MultiPurposeLabelSummary;
+  createdAt?: string;
+  updateAt?: string;
 }
 export interface MultiPurposeLabelSummary {
  name: string;
--- a/frontend/types/api-types/recipe.ts
+++ b/frontend/types/api-types/recipe.ts
@ -7,6 +7,7 @@

 export type ExportTypes = "json";
 export type RegisteredParser = "nlp" | "brute";
+export type OrderDirection = "asc" | "desc";

 export interface AssignCategories {
  recipes: string[];
@ -96,6 +97,8 @@ export interface IngredientFood {
  labelId?: string;
  id: string;
  label?: MultiPurposeLabelSummary;
+  createdAt?: string;
+  updateAt?: string;
 }
 export interface MultiPurposeLabelSummary {
  name: string;
@ -120,6 +123,8 @@ export interface IngredientUnit {
  abbreviation?: string;
  useAbbreviation?: boolean;
  id: string;
+  createdAt?: string;
+  updateAt?: string;
 }
 export interface IngredientsRequest {
  parser?: RegisteredParser & string;
@ -142,6 +147,13 @@ export interface Nutrition {
  sodiumContent?: string;
  sugarContent?: string;
 }
+export interface PaginationQuery {
+  page?: number;
+  perPage?: number;
+  orderBy?: string;
+  orderDirection?: OrderDirection & string;
+  queryFilter?: string;
+}
 export interface ParsedIngredient {
  input?: string;
  confidence?: IngredientConfidence;
@ -178,6 +190,8 @@ export interface Recipe {
  recipeIngredient?: RecipeIngredient[];
  dateAdded?: string;
  dateUpdated?: string;
+  createdAt?: string;
+  updateAt?: string;
  recipeInstructions?: RecipeStep[];
  nutrition?: Nutrition;
  settings?: RecipeSettings;
@ -259,6 +273,8 @@ export interface RecipeSummary {
  recipeIngredient?: RecipeIngredient[];
  dateAdded?: string;
  dateUpdated?: string;
+  createdAt?: string;
+  updateAt?: string;
 }
 export interface RecipeCommentCreate {
  recipeId: string;
@ -273,6 +289,14 @@ export interface RecipeCommentUpdate {
  id: string;
  text: string;
 }
+export interface RecipePaginationQuery {
+  page?: number;
+  perPage?: number;
+  orderBy?: string;
+  orderDirection?: OrderDirection & string;
+  queryFilter?: string;
+  loadFood?: boolean;
+}
 export interface RecipeShareToken {
  recipeId: string;
  expiresAt?: string;
--- a/frontend/types/api-types/response.ts
+++ b/frontend/types/api-types/response.ts
@ -5,6 +5,8 @@
 /* Do not modify it by hand - just update the pydantic models and then re-run the script
 */

+export type OrderDirection = "asc" | "desc";
+
 export interface ErrorResponse {
  message: string;
  error?: boolean;
@ -13,6 +15,13 @@ export interface ErrorResponse {
 export interface FileTokenResponse {
  fileToken: string;
 }
+export interface PaginationQuery {
+  page?: number;
+  perPage?: number;
+  orderBy?: string;
+  orderDirection?: OrderDirection & string;
+  queryFilter?: string;
+}
 export interface SuccessResponse {
  message: string;
  error?: boolean;
--- a/frontend/types/api-types/user.ts
+++ b/frontend/types/api-types/user.ts
@ -107,6 +107,8 @@ export interface PrivateUser {
  tokens?: LongLiveTokenOut[];
  cacheKey: string;
  password: string;
+  loginAttemps?: number;
+  lockedAt?: string;
 }
 export interface PrivatePasswordResetToken {
  userId: string;
@ -134,6 +136,8 @@ export interface RecipeSummary {
  recipeIngredient?: RecipeIngredient[];
  dateAdded?: string;
  dateUpdated?: string;
+  createdAt?: string;
+  updateAt?: string;
 }
 export interface RecipeCategory {
  id?: string;
@ -168,6 +172,8 @@ export interface IngredientUnit {
  abbreviation?: string;
  useAbbreviation?: boolean;
  id: string;
+  createdAt?: string;
+  updateAt?: string;
 }
 export interface CreateIngredientUnit {
  name: string;
@ -182,6 +188,8 @@ export interface IngredientFood {
  labelId?: string;
  id: string;
  label?: MultiPurposeLabelSummary;
+  createdAt?: string;
+  updateAt?: string;
 }
 export interface MultiPurposeLabelSummary {
  name: string;
@ -212,6 +220,9 @@ export interface TokenData {
  user_id?: string;
  username?: string;
 }
+export interface UnlockResults {
+  unlocked?: number;
+}
 export interface UpdateGroup {
  name: string;
  id: string;