The user lockout feature is the way to improve application security by locking out a user that enters a password incorrectly several times. This technique can help us in protecting against brute force attacks, where an attacker repeatedly tries to guess a password. β³
Quite a basic feature for an authentication service, but adding it in my Web API app was quite a head scratcher.
1. Adding to configuration service
In your startup.cs or container configuration file, the config for locking out can be set.
services.AddIdentity<User, IdentityRole>(opt =>
{
// previous code removed for clarity reasons
opt.Lockout.AllowedForNewUsers = true;
opt.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(2);
opt.Lockout.MaxFailedAccessAttempts = 3;
})
The property names are self explanatory here.
The above code will by default setup locking out feature and if a person is trying to login with wrong password
for a given username
the user account will be locked out for 5 minutes updated accordingly in LockoutEnd
column
2. How to check if this user is Locked Out?
// AuthService.cs
..
var result = await signInManager.CheckPasswordSignInAsync(user, model.Password, lockoutOnFailure: true);
..
The properties of result : SignInResult
we are concerned here are Succeeded
, IsLockedOut
.
β
Succeeded == true
if the username and password match
β Succeeded == false
if the username and password do not match
β
IsLockedOut == true
if this user has been locked out after x number of trials
3. π€ What is here to scratch your hear for
I was expecting LockOutEnabled
will become true (1)
in the identity user table. It took me few hours to get to the documentation but it was stated clearly in the Library class.
// Microsoft.AspNetCore.Identity.IdentityUser
// Gets or sets a flag indicating if the user could be locked out.
public virtual bool LockoutEnabled { get; set; }
I missed the could be and it costed me some hours.πͺ
Updating this column to true
for necessary users then locks out the user for particular a time limit set in the config
The proper logging and an error can be thrown with
result.IsLockedOut
flag from the service layer π
π References
Top comments (0)