The failed-TOTP handler shared the login request's xorm session, and the login handler rolled that session back after a failed login. The status change to StatusAccountLocked was silently discarded, so the account was never locked regardless of how many failed TOTP attempts arrived. HandleFailedTOTPAuth now opens its own session and commits independently of the caller. The login handler rolls back its session before invoking the handler so the lockout write can acquire a write lock on SQLite shared-cache. Also handles the Redis keyvalue backend returning the attempt counter as a string instead of int64, which would have prevented the lockout path from ever running on Redis. See GHSA-fgfv-pv97-6cmj. |
||
|---|---|---|
| .. | ||
| api/v1 | ||
| caldav | ||
| api_tokens.go | ||
| error_handler.go | ||
| healthcheck.go | ||
| metrics.go | ||
| rate_limit.go | ||
| routes.go | ||
| sentry_middleware.go | ||
| static.go | ||
| validation.go | ||