Reject login when a user is locked

When a user is locked (locked_until is in the future) he can't log in anymore.

Author: Philippe Hässig

app/controllers/casino/sessions_controller.rb

@@ -25,6 +25,8 @@ def create
     if !validation_result
       handle_failed_login params[:username]
       show_login_error I18n.t('login_credential_acceptor.invalid_login_credentials')
+    elsif user_from_validation_result(validation_result).locked?
+      show_login_error I18n.t('sessions.create.user_locked')
     else
       sign_in(validation_result, long_term: params[:rememberMe], credentials_supplied: true)
     end
@@ -83,4 +85,11 @@ def load_ticket_granting_ticket_from_parameter
     @ticket_granting_ticket = find_valid_ticket_granting_ticket(params[:tgt], request.user_agent, ignore_two_factor: true)
     redirect_to login_path if @ticket_granting_ticket.nil?
   end
+
+  def user_from_validation_result(validation_result)
+      user_data = validation_result[:user_data]
+      load_or_initialize_user(validation_result[:authenticator],
+                              user_data[:username],
+                              user_data[:extra_attributes])
+  end
 end

config/locales/de.yml

@@ -2,6 +2,7 @@ de:
   login_credential_acceptor:
     invalid_login_ticket: "Ihre Anfrage enthielt kein gültiges Login-Ticket."
     invalid_login_credentials: "Benutzername oder Passwort falsch."
+    user_is_locked: "Ihr Account ist wegen zu vieler falscher Loginversuche gesperrt. Bitte versuchen Sie es später nochmal."
   login:
     label_username: "Benutzername"
     label_password: "Passwort"

config/locales/en.yml

@@ -2,6 +2,7 @@ en:
   login_credential_acceptor:
     invalid_login_ticket: "Your login request did not include a valid login ticket."
     invalid_login_credentials: "Incorrect username or password."
+    user_is_locked: "Your user is currently locked because of failed login attempts. Please try again later."
   login:
     label_username: "Username"
     label_password: "Password"

config/locales/fr.yml

@@ -2,6 +2,7 @@ fr:
   login_credential_acceptor:
     invalid_login_ticket: "La demande de connexion n'inclue pas un ticket de connexion valide."
     invalid_login_credentials: "Nom d'utilisateur ou mot de passe incorrect."
+    user_is_locked: "Votre utilisateur est actuellement bloqué dû à des tentatives de connexions échouées. Veuillez réessayer ultérieurement."
   login:
     label_username: "Nom d'utilisateur"
     label_password: "Mot de passe"

spec/controllers/sessions_controller_spec.rb

@@ -188,7 +188,8 @@
       let(:login_ticket) { FactoryGirl.create :login_ticket }
       let(:username) { 'testuser' }
       let(:params) { { lt: login_ticket.ticket, username: username, password: 'wrrooonnng' }}
-      let!(:user) { FactoryGirl.create :user, username: username }
+      let(:locked_until) { nil }
+      let!(:user) { FactoryGirl.create :user, authenticator: 'static', username: username, locked_until: locked_until }
 
       context 'with invalid credentials' do
         it 'renders the new template' do
@@ -328,6 +329,8 @@
           end
 
           context 'when the user does not exist yet' do
+            before { CASino::User.destroy_all }
+
             it 'generates exactly one user' do
               lambda do
                 post :create, params
@@ -385,6 +388,20 @@
             end.should change(CASino::TicketGrantingTicket, :count).by(1)
           end
         end
+
+        context 'when the user is locked' do
+          let(:locked_until) { 5.minutes.from_now }
+
+          it 'renders the new template' do
+            post :create, params
+            expect(response).to render_template(:new)
+          end
+
+          it 'sets a flash to inform the user' do
+            post :create, params
+            expect(flash[:error]).to be_present
+          end
+        end
       end
     end
   end