security: implement user lockout (#1552)

* add data-types required for login security * implement user lockout checking at login * cleanup legacy patterns * expose passwords in test_user * test user lockout after bad attempts * test user service * bump alembic version * save increment to database * add locked_at to datetime transformer on import * do proper test cleanup * implement scheduled task * spelling * document env variables * implement context manager for session * use context manager * implement reset script * cleanup generator * run generator * implement API endpoint for resetting locked users * add button to reset all locked users * add info when account is locked * use ignore instead of expect-error
2025-08-02 20:15:24 +02:00 · 2022-08-13 13:18:12 -08:00 · 2022-08-13 13:18:12 -08:00 · b3c41a4bd0
commit b3c41a4bd0
parent ca64584fd1
35 changed files with 450 additions and 46 deletions
--- a/tests/integration_tests/user_tests/test_user_login.py
+++ b/tests/integration_tests/user_tests/test_user_login.py
@ -3,6 +3,8 @@ import json
 from fastapi.testclient import TestClient

 from mealie.core.config import get_app_settings
+from mealie.repos.repository_factory import AllRepositories
+from mealie.services.user_services.user_service import UserService
 from tests.utils.app_routes import AppRoutes
 from tests.utils.fixture_schemas import TestUser

@ -35,3 +37,27 @@ def test_user_token_refresh(api_client: TestClient, api_routes: AppRoutes, admin
    response = api_client.post(api_routes.auth_refresh, headers=admin_user.token)
    response = api_client.get(api_routes.users_self, headers=admin_user.token)
    assert response.status_code == 200
+
+
+def test_user_lockout_after_bad_attemps(api_client: TestClient, unique_user: TestUser, database: AllRepositories):
+    """
+    if the user has more than 5 bad login attemps the user will be locked out for 4 hours
+    This only applies if there is a user in the database with the same username
+    """
+    routes = AppRoutes()
+    settings = get_app_settings()
+
+    for _ in range(settings.SECURITY_MAX_LOGIN_ATTEMPTS):
+        form_data = {"username": unique_user.email, "password": "bad_password"}
+        response = api_client.post(routes.auth_token, form_data)
+
+        assert response.status_code == 401
+
+    valid_data = {"username": unique_user.email, "password": unique_user.password}
+    response = api_client.post(routes.auth_token, valid_data)
+    assert response.status_code == 423
+
+    # Cleanup
+    user_service = UserService(database)
+    user = database.users.get_one(unique_user.user_id)
+    user_service.unlock_user(user)