Skip to content

[RateLimiter] [Security] Invalid error message when max login attempts has been reached #39663

New issue
New issue
Closed
#39859
Closed
[RateLimiter] [Security] Invalid error message when max login attempts has been reached#39663
#39859
Labels
BugHelp wantedIssues and PRs which are looking for volunteers to complete them.SecurityStatus: Reviewed
@COil

Description

@COil
COil
opened on Dec 30, 2020

Symfony version(s) affected: 5.2.1

Description

I get the following response:

{
    "code":401,
    "message":"Too many failed login attempts, please try again in %minutes% minute."
}

The message should be :

Too many login attempts, please try again in 1 minute.

As this feature work for success or failed login attempts, the "failed" word should be removed.

How to reproduce

config/packages/security.yaml:

security:
    login:
        pattern:  ^/api/login
        stateless: true
        login_throttling:
            max_attempts: 5
        json_login:
            provider:        app_user_provider
            check_path:      /api/login_check
            success_handler: lexik_jwt_authentication.handler.authentication_success
            failure_handler: lexik_jwt_authentication.handler.authentication_failure

Possible Solution

Missing key + placeholder handling.

Additional context

Using a json_login and the lexik_jwt_authentication handlers.

Login via a curl command :

curl -X POST -H "Content-Type: application/json" https://127.0.0.1:8000/api/login_check -d '{"username":"reader","password":"test"}'

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugHelp wantedIssues and PRs which are looking for volunteers to complete them.SecurityStatus: Reviewed

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions