show correct error message the first time account is locked (#7263)

closes #7251 - check if remaining attemps is 0, if so then show account locked error - adds test
2025-01-06 22:40:14 -05:00 · 2016-09-19 08:56:55 -05:00 · 2016-09-19 08:56:55 -05:00 · 756d9bcb6e
commit 756d9bcb6e
parent 9349e99e54
2 changed files with 47 additions and 0 deletions
--- a/core/server/models/user.js
+++ b/core/server/models/user.js
@ -554,6 +554,12 @@ User = ghostBookshelf.Model.extend({
                return bcryptCompare(object.password, user.get('password')).then(function then(matched) {
                    if (!matched) {
                        return Promise.resolve(self.setWarning(user, {validate: false})).then(function then(remaining) {
+                            if (remaining === 0) {
+                                // If remaining attempts = 0, the account has been locked, so show a locked account message
+                                return Promise.reject(new errors.NoPermissionError(
+                                    i18n.t('errors.models.user.accountLocked')));
+                            }
+
                            s = (remaining > 1) ? 's' : '';
                            return Promise.reject(new errors.UnauthorizedError(i18n.t('errors.models.user.incorrectPasswordAttempts', {remaining: remaining, s: s})));

--- a/core/test/integration/model/model_users_spec.js
+++ b/core/test/integration/model/model_users_spec.js
@ -662,4 +662,45 @@ describe('User Model', function run() {
            });
        });
    });
+
+    describe('User Login', function () {
+        beforeEach(testUtils.setup('owner'));
+
+        it('gets the correct validations when entering an invalid password', function () {
+            var object = {email: 'jbloggs@example.com', password: 'wrong'};
+
+            function userWasLoggedIn() {
+                throw new Error('User should not have been logged in.');
+            }
+
+            function checkAttemptsError(number) {
+                return function (error) {
+                    should.exist(error);
+
+                    error.errorType.should.equal('UnauthorizedError');
+                    error.message.should.match(new RegExp(number + ' attempt'));
+
+                    return UserModel.check(object);
+                };
+            }
+
+            function checkLockedError(error) {
+                should.exist(error);
+
+                error.errorType.should.equal('NoPermissionError');
+                error.message.should.match(/^Your account is locked/);
+            }
+
+            return UserModel.check(object).then(userWasLoggedIn)
+                .catch(checkAttemptsError(4))
+                .then(userWasLoggedIn)
+                .catch(checkAttemptsError(3))
+                .then(userWasLoggedIn)
+                .catch(checkAttemptsError(2))
+                .then(userWasLoggedIn)
+                .catch(checkAttemptsError(1))
+                .then(userWasLoggedIn)
+                .catch(checkLockedError);
+        });
+    });
 });