From cfc484b173120dfe14616424c1ec279bb74cf2a9 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Tue, 21 Mar 2017 18:48:41 -0300 Subject: [PATCH] Bug 18314: Account lockout To prevent brute force attacks on Koha accounts, staff and opac, we need to implement an account lockout process to Koha. After a number of failed login attempts a users account would become locked. The user would then need to use the reset password functionality to send a reset token to their email account. After a successful password reset the lockout flag would be removed. The number of failed login attempts before lockout is configurable using a new system preference 'FailedLoginAttempts'. How does it work? When a patron enter an invalid password, the borrowers.login_attempts value for this patron is incremented. When this value reach the value of the pref FailedLoginAttempts, the password comparison is not done and the authentication is rejected. This login_attempts field is reset when a patron correctly logs in. When the account is locked the patron has to reset his/her password using the OpacResetPassword feature or ask a staff member to generate a new password. If the pref is not set (0, or '') the feature is considered as disabled, but the failed login attempts are stored anyway. Test plan: 0/ Apply patch and execute the update DB entry 1/ Switch on the feature by setting FailedLoginAttempts to 3 2/ Use an invalid password to login at the staff or OPAC interface 3/ After the third consecutive failures, you will be asked to reset your password if OpacResetPassword is set, or contact a staff member 4/ Switch on OpacResetPassword and reset your password 5/ Confirm that you are able to login 6/ Play with the different combinations QA details: The trick happens in C4::Auth::checkpw, to make things clear I had to create a return value (note the awesome name: @return) and replace the 3 successives if statements with elsif. Indeed if one of the condition is reached, it will return inside the given block. Signed-off-by: Jonathan Field Signed-off-by: Nick Clemens Signed-off-by: Kyle M Hall --- C4/Auth.pm | 46 ++++++++++++++----- Koha/Patron.pm | 18 ++++++++ .../intranet-tmpl/prog/en/modules/auth.tt | 8 +++- .../bootstrap/en/modules/opac-auth.tt | 12 ++++- 4 files changed, 70 insertions(+), 14 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index 8a4166d251..74c2792477 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -1209,6 +1209,8 @@ sub checkauth { push @inputs, { name => $name, value => $value }; } + my $patron = Koha::Patrons->find({ userid => $q_userid }); # Not necessary logged in! + my $LibraryNameTitle = C4::Context->preference("LibraryName"); $LibraryNameTitle =~ s/<(?:\/?)(?:br|p)\s*(?:\/?)>/ /sgi; $LibraryNameTitle =~ s/<(?:[^<>'"]|'(?:[^']*)'|"(?:[^"]*)")*>//sg; @@ -1258,6 +1260,7 @@ sub checkauth { PatronSelfRegistration => C4::Context->preference("PatronSelfRegistration"), PatronSelfRegistrationDefaultCategory => C4::Context->preference("PatronSelfRegistrationDefaultCategory"), opac_css_override => $ENV{'OPAC_CSS_OVERRIDE'}, + too_many_login_attempts => ( $patron and $patron->account_locked ), ); $template->param( SCO_login => 1 ) if ( $query->param('sco_user_login') ); @@ -1756,28 +1759,39 @@ sub get_session { sub checkpw { my ( $dbh, $userid, $password, $query, $type, $no_set_userenv ) = @_; $type = 'opac' unless $type; - if ($ldap) { + + my @return; + my $patron = Koha::Patrons->find({ userid => $userid }); + + if ( $patron and $patron->account_locked ) { + @return = (0); + } elsif ($ldap) { $debug and print STDERR "## checkpw - checking LDAP\n"; my ( $retval, $retcard, $retuserid ) = checkpw_ldap(@_); # EXTERNAL AUTH - return 0 if $retval == -1; # Incorrect password for LDAP login attempt - ($retval) and return ( $retval, $retcard, $retuserid ); - } + if ( $retval ) { + @return = ( $retval, $retcard, $retuserid ); + } else { + @return = (0); + } - if ( $cas && $query && $query->param('ticket') ) { + } elsif ( $cas && $query && $query->param('ticket') ) { $debug and print STDERR "## checkpw - checking CAS\n"; # In case of a CAS authentication, we use the ticket instead of the password my $ticket = $query->param('ticket'); $query->delete('ticket'); # remove ticket to come back to original URL my ( $retval, $retcard, $retuserid ) = checkpw_cas( $dbh, $ticket, $query, $type ); # EXTERNAL AUTH - ($retval) and return ( $retval, $retcard, $retuserid ); - return 0; + if ( $retval ) { + @return = ( $retval, $retcard, $retuserid ); + } else { + @return = (0); + } } # If we are in a shibboleth session (shibboleth is enabled, and a shibboleth match attribute is present) # Check for password to asertain whether we want to be testing against shibboleth or another method this # time around. - if ( $shib && $shib_login && !$password ) { + elsif ( $shib && $shib_login && !$password ) { $debug and print STDERR "## checkpw - checking Shibboleth\n"; @@ -1788,13 +1802,23 @@ sub checkpw { # Then, we check if it matches a valid koha user if ($shib_login) { my ( $retval, $retcard, $retuserid ) = C4::Auth_with_shibboleth::checkpw_shib($shib_login); # EXTERNAL AUTH - ($retval) and return ( $retval, $retcard, $retuserid ); - return 0; + if ( $retval ) { + @return = ( $retval, $retcard, $retuserid ); + } else { + @return = (0); + } } } # INTERNAL AUTH - return checkpw_internal( $dbh, $userid, $password, $no_set_userenv); + @return = checkpw_internal( $dbh, $userid, $password, $no_set_userenv) unless @return; + + if ( $return[0] == 0 ) { + $patron->update({ login_attempts => $patron->login_attempts + 1 }) if $patron; + } elsif ( $return[1] == 1 ) { + $patron->update({ login_attempts => 0 })->store if $patron; + } + return @return; } sub checkpw_internal { diff --git a/Koha/Patron.pm b/Koha/Patron.pm index b97bceb258..860a4b6cf2 100644 --- a/Koha/Patron.pm +++ b/Koha/Patron.pm @@ -630,6 +630,24 @@ sub get_enrollable_clubs { return wantarray ? $e->as_list : $e; } +=head3 account_locked + +my $is_locked = $patron->account_locked + +Return true if the patron has reach the maximum number of login attempts (see pref FailedLoginAttempts). +Otherwise return false. +If the pref is not set (empty string, null or 0), the feature is considered as disabled. + +=cut + +sub account_locked { + my ($self) = @_; + my $FailedLoginAttempts = C4::Context->preference('FailedLoginAttempts'); + return ( $FailedLoginAttempts + and $self->login_attempts + and $self->login_attempts >= $FailedLoginAttempts )? 1 : 0; +} + =head3 type =cut diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt index c6a050c02d..7d6716598d 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt @@ -1,3 +1,4 @@ +[% USE Koha %] [% USE Branches %] [% SET footerjs = 1 %] [% INCLUDE 'doc-head-open.inc' %] @@ -5,7 +6,8 @@ [% IF ( nopermission ) %]Access denied[% END %] [% IF ( timed_out ) %]Session timed out[% END %] [% IF ( different_ip ) %]IP address change[% END %] - [% IF ( invalid_username_or_password ) %]Invalid username or password[% END %] + [% IF too_many_login_attempts %]This account has been locked. + [% ELSIF invalid_username_or_password %]Invalid username or password[% END %] [% IF ( loginprompt ) %]Log in to Koha[% END %] [% INCLUDE 'doc-head-close.inc' %] @@ -37,7 +39,9 @@
Error: Autolocation is switched on and you are logging in with an IP address that doesn't match your library.
[% END %] -[% IF ( invalid_username_or_password ) %] +[% IF too_many_login_attempts %] +
Error: This account has been locked!
+[% ELSIF invalid_username_or_password %]
Error: Invalid username or password
[% END %] diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt index 6d941bf8f2..31cfbc63c5 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt @@ -53,7 +53,17 @@ [% END %] - [% IF ( invalid_username_or_password ) %] + + [% IF too_many_login_attempts %] +
+ This account has been locked! + [% IF Koha.Preference('OpacResetPassword') %] + You must reset your password. + [% ELSE %] + Please contact a library staff member. + [% END %] +
+ [% ELSIF invalid_username_or_password %]

You entered an incorrect username or password. Please try again! And remember, passwords are case sensitive.

-- 2.39.5