Skip to content
This repository has been archived by the owner on Jun 2, 2023. It is now read-only.

Wrong current password sends multiple login attempts #677

Open
MaksaUniver opened this issue Sep 26, 2022 · 1 comment
Open

Wrong current password sends multiple login attempts #677

MaksaUniver opened this issue Sep 26, 2022 · 1 comment

Comments

@MaksaUniver
Copy link

MaksaUniver commented Sep 26, 2022
edited
Loading

PassCore Server

  • OS: Windows

  • PassCore version: 4.2.3 (We had some issues with 4.2.4 version)

  • Provider: Active Directory

  • Settings file (without sensitive information):
    "Logging": {
    "IncludeScopes": false,
    "LogLevel": {
    "Default": "Debug",
    "System": "Information",
    "Microsoft": "Information"
    }
    },
    "WebSettings": {
    "EnableHttpsRedirect": true
    },
    "AppSettings": {
    // The following options for AD Provider (remove if you don't use this Provider)
    "UseAutomaticContext": true
    "RestrictedADGroups": []
    "AllowedADGroups": []
    "IdTypeForUser": "UPN"
    "UpdateLastPassword": true
    // The following options are for LDAP Provider (remove if you don't use this Provider)
    //"LdapSearchBase": "",
    //"LdapSecureSocketLayer": false
    //"LdapStartTls": true
    //"LdapChangePasswordWithDelAdd": true,
    //"LdapSearchFilter": "(sAMAccountName={Username})"
    // General options (valid for both providers)
    "LdapHostnames": [ "my.domain" ]
    "LdapPort": 389
    "LdapUsername": ""
    "LdapPassword": ""
    "DefaultDomain": "my.domain" // Set your default AD domain here, or non "@" logins will not work! Use empty value to allow user to set the domain. This option is ONLY available with UPN.
    },
    "ClientSettings": {
    "ValidationRegex": {
    "EmailRegex": "^[a-zA-Z0-9.!#$%&’+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)$",
    "UsernameRegex": "^[a-zA-Z0-9._-]{3,20}$"
    },
    "UsePasswordGeneration": false
    "MinimumDistance": 0
    "PasswordEntropy": 16
    "ShowPasswordMeter": true,
    "MinimumScore": 0
    "Recaptcha": {
    "SiteKey": ""
    "PrivateKey": ""
    "LanguageCode": "en"
    },

  • Log file (without sensitive information):

Describe the bug
When I intentionally enter wrong password in order to test PassCore since it's new installation, badPwdCount attribute value increments by 2, 3, or even 4 on every attempt. Problem is that it also automatically locks account.

To Reproduce
Steps to reproduce the behavior:

  1. Enter all required data for resetting password
  2. Intentionally enter wrong current password
  3. Check badPwdCount attribute value in Active Directory

Expected behavior
badPwdCount attribute value should increment by 1.

Desktop (please complete the following information):

  • OS: Windows 10
  • Browser: Tested on Firefox, Edge, Chrome
@MaksaUniver
Copy link
Author

MaksaUniver commented Sep 26, 2022
edited
Loading

Log information:

Hosting environment: Production

Content root path: C:\inetpub\wwwroot\PassCore

Now listening on: http://reset.server.local:80/

Now listening on: https://reset.server.local:443/

Application started. Press Ctrl+C to shut down.

info: Microsoft.AspNetCore.Hosting.Diagnostics[1]

  Request starting HTTP/2.0 GET https://reset.server.local/

info: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware[6]

  The file /index.html was not modified

info: Microsoft.AspNetCore.Hosting.Diagnostics[2]

  Request finished in 24.3604ms 304 text/html

info: Microsoft.AspNetCore.Hosting.Diagnostics[1]

  Request starting HTTP/2.0 GET https://reset.server.local/api/password

info: Microsoft.AspNetCore.Routing.EndpointMiddleware[0]

  Executing endpoint 'Unosquare.PassCore.Web.Controllers.PasswordController.Get (Unosquare.PassCore.Web)'

info: Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker[3]

  Route matched with {action = "Get", controller = "Password"}. Executing controller action with signature Microsoft.AspNetCore.Mvc.IActionResult Get() on controller Unosquare.PassCore.Web.Controllers.PasswordController (Unosquare.PassCore.Web).

info: Microsoft.AspNetCore.Mvc.Infrastructure.SystemTextJsonResultExecutor[1]

  Executing JsonResult, writing value of type 'Unosquare.PassCore.Web.Models.ClientSettings'.

info: Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker[2]

  Executed action Unosquare.PassCore.Web.Controllers.PasswordController.Get (Unosquare.PassCore.Web) in 21.8165ms

info: Microsoft.AspNetCore.Routing.EndpointMiddleware[1]

  Executed endpoint 'Unosquare.PassCore.Web.Controllers.PasswordController.Get (Unosquare.PassCore.Web)'

info: Microsoft.AspNetCore.Hosting.Diagnostics[2]

  Request finished in 67.9911ms 200 application/json; charset=utf-8

info: Microsoft.AspNetCore.Hosting.Diagnostics[1]

  Request starting HTTP/2.0 POST https://reset.server.local/api/password application/json 132

info: Microsoft.AspNetCore.Routing.EndpointMiddleware[0]

  Executing endpoint 'Unosquare.PassCore.Web.Controllers.PasswordController.Post (Unosquare.PassCore.Web)'

info: Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker[3]

  Route matched with {action = "Post", controller = "Password"}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] Post(Unosquare.PassCore.Web.Models.ChangePasswordModel) on controller Unosquare.PassCore.Web.Controllers.PasswordController (Unosquare.PassCore.Web).

warn: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]

  Using AutomaticContext

info: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]

  PerformPasswordChange for user [email protected]

fail: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[888]

  ValidateGroups

System.NullReferenceException: Object reference not set to an instance of an object.

at Unosquare.PassCore.PasswordProvider.PasswordChangeProvider.b__7_0(Principal x) in C:\Unosquare\passcore\src\Unosquare.PassCore.PasswordProvider\PasswordChangeProvider.cs:line 167

at System.Linq.Enumerable.Any[TSource](IEnumerable1 source, Func2 predicate)

at Unosquare.PassCore.PasswordProvider.PasswordChangeProvider.ValidateGroups(UserPrincipal userPrincipal) in C:\Unosquare\passcore\src\Unosquare.PassCore.PasswordProvider\PasswordChangeProvider.cs:line 167

dbug: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]

  ValidateUserCredentials GetLastWin32Error 1326

warn: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]

  The User principal password is not valid

info: Microsoft.AspNetCore.Mvc.Infrastructure.ObjectResultExecutor[1]

  Executing ObjectResult, writing value of type 'Unosquare.PassCore.Web.Models.ApiResult'.

info: Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker[2]

  Executed action Unosquare.PassCore.Web.Controllers.PasswordController.Post (Unosquare.PassCore.Web) in 613.7161ms

inf

@MaksaUniver MaksaUniver changed the title Wrong current password sends 4 login attempts Wrong current password sends multiple login attempts Sep 26, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MaksaUniver