Defers credential check, take two.

Prevents timing attack concern by checking the user lock status first. The concern seemed very valid and was raised in #169 (comment) .

Author: cimnine

app/controllers/casino/sessions_controller.rb

@@ -21,14 +21,14 @@ def new
   end
 
   def create
+    return show_login_error I18n.t('login_credential_acceptor.user_is_locked') if user_locked?(params[:username])
+
     validation_result = validate_login_credentials(params[:username], params[:password])
-    if !validation_result
+    if validation_result
+      sign_in(validation_result, long_term: params[:rememberMe], credentials_supplied: true)
+    else
       handle_failed_login params[:username]
       show_login_error I18n.t('login_credential_acceptor.invalid_login_credentials')
-    elsif user_from_validation_result(validation_result).locked?
-      show_login_error I18n.t('login_credential_acceptor.user_is_locked')
-    else
-      sign_in(validation_result, long_term: params[:rememberMe], credentials_supplied: true)
     end
   end
 
@@ -85,11 +85,4 @@ def load_ticket_granting_ticket_from_parameter
     @ticket_granting_ticket = find_valid_ticket_granting_ticket(params[:tgt], request.user_agent, ignore_two_factor: true)
     redirect_to login_path if @ticket_granting_ticket.nil?
   end
-
-  def user_from_validation_result(validation_result)
-      user_data = validation_result[:user_data]
-      load_or_initialize_user(validation_result[:authenticator],
-                              user_data[:username],
-                              user_data[:extra_attributes])
-  end
 end

app/helpers/casino/sessions_helper.rb

@@ -51,6 +51,12 @@ def sign_out
     cookies.delete :tgt
   end
 
+  def user_locked?(username)
+    CASino::User.where(username: username).to_a.any? do |user|
+      user.locked?
+    end
+  end
+
   def handle_failed_login(username)
     CASino::User.where(username: username).each do |user|
       create_login_attempt(user, false)