Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Frontend: Security: Handling Failed login attempts via Folio Login Screen - Lock Account

Description

As a person responsible for the security of the Folio platform
I want to prevent brute force attacks of the Folio platform when a user attempts to log in to Folio and fails.

Requirement

  • Apply to user logging in with local username/password

  • After the 3rd failed login attempt then display a message on Folio login screen [You have entered the wrong username or password for the third time. You have two more tries to login before your account will be locked.

  • After 5 failed consecutive login attempts then lock user's Folio account and display a message on Folio login screen [For security, purposes, your account has been locked. Please contact your Folio System Administrator to reset your password.]

  • To unlock an account, Folio administrator must change the user status = active on the User's record.

Screenshot

Acceptance Criteria

Given I am attempting to login to Folio

When I fail three times to login
Then the following message should display on the Folio login screen [You have entered the wrong username or password for the third time. You have two more tries to login before your account will be locked.]

Given I am attempting to login to Folio
When I failed 5 consecutive times to login
Then a message should display For security purposes, your account has been locked. Please contact your Folio System Administrator to reset your password.

Give my Folio account is locked
When I attempt to login again
Then the following message displays For security purposes, your account has been locked. Please try again or contact your Folio System Administrator.

Given a Folio user account is locked
When the Folio system administrator resets the user status = active on that user account
The user should be able to attempt to login to Folio

Environment

None

Potential Workaround

None

Attachments

1

clones

has to be done after

is blocked by

is cloned by

relates to

requires

Checklist

hide

TestRail: Results

Activity

Show:

Khalilah GambrellJanuary 25, 2019 at 12:39 AM

Unable to test due to SMTP configuration setup

Khalilah GambrellNovember 2, 2018 at 1:45 PM

Issue is blocked.

Oleksandr AntonenkoOctober 26, 2018 at 12:00 PM

I have created a bug to fix this. Also I have talked with Oleksii from folijet and he said that he will do that. https://folio-org.atlassian.net/browse/MODLOGIN-89

Khalilah GambrellOctober 26, 2018 at 11:55 AM

I am testing on http://folio-snapshot-latest.aws.indexdata.com
1. I created user: Larry Bird with username gambrell
2. I put in 5 bad passwords on the login page to get the "you are locked out message"
3. I logged in as diku_admin to see if Larry Bird's status was inactive. He remains active.

Khalilah GambrellOctober 26, 2018 at 11:51 AM

- looks good.

  • We need to remove the first comma in the error "For security, purposes, your account has been locked. Please contact your Folio System Administrator to reset your password."

  • It should be For security purposes, your account has been locked. Please contact your Folio System Administrator to reset your password.

Done

Details

Assignee

Reporter

Labels

Priority

Story Points

Sprint

Development Team

Vega

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created August 1, 2018 at 5:02 PM
Updated March 11, 2020 at 11:18 AM
Resolved March 11, 2020 at 11:18 AM
TestRail: Cases
TestRail: Runs