Skip to content

FR: successful password reset should unlock account locked via accountLockout policy #6773

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mman opened this issue Jul 3, 2020 · 4 comments · Fixed by #7146
Closed

FR: successful password reset should unlock account locked via accountLockout policy #6773

mman opened this issue Jul 3, 2020 · 4 comments · Fixed by #7146
Labels
type:feature New feature or improvement of existing feature

Comments

@mman
Copy link
Contributor

mman commented Jul 3, 2020
edited
Loading

Running parse server 4.2.0 with accountLockout policy configured to enable locking accounts when incorrect password is entered multiple times.

What I found out is that when a user gets locked out due to many failed login attempts, and then performs a password reset successfully, the account remains locked.

I thinks a successful password reset should unlock the account.

What do you think?
Martin
@mtrezza mtrezza added type:feature New feature or improvement of existing feature enhancement and removed type:feature New feature or improvement of existing feature labels Jul 4, 2020
@mtrezza
Copy link
Member

mtrezza commented Jul 4, 2020
edited
Loading

I think it makes sense. I just tried out Twitter's account lock policy and it works the way you describe:

  • The account is locked after n retries.
  • Even entering the correct password does not unlock the account.
  • Password reset via email works, unlocks the account and allows to login immediately.

However, this is a matter of policy, which can be different depending on the use case of Parse Server. In some systems, a locked account cannot be unlocked by a user anymore and does not unlock itself, only an admin can unlock the account.

I think it would be a good enhancement and suggest to add this as an option to the Parse Server configuration.

@stale
Copy link

stale bot commented Nov 8, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Nov 8, 2020
@mman
Copy link
Contributor Author

mman commented Nov 8, 2020

This should remain open

@stale stale bot removed the stale label Nov 8, 2020
@mtrezza mtrezza mentioned this issue Jan 28, 2021
Merged
6 tasks
@mtrezza
Copy link
Member

mtrezza commented Jan 28, 2021

The PR above introduces an option to define this behavior. The PR is currently in review.

@mtrezza mtrezza added type:feature New feature or improvement of existing feature and removed type:improvement labels Dec 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:feature New feature or improvement of existing feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add account unlock on password reset mtrezza/parse-server
2 participants
@mman @mtrezza