Disable login for a user after X number of failed attempts
Wasp version: 0.16.3
Platform: macOS
I'm looking for a way to disable logging in for a user that has 3 or more consecutive failed login attempts.
Is there a mechanism currently in Wasp to handle this functionality?
If not, is there a recommended way I should go about it? I haven't been able to find anything in the Wasp/OpenSaaS docs.
Thanks!
10 Replies
Hi @Justin Vandenberg. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
----------------------
Based on the knowledge sources provided, there doesn't appear to be any built-in mechanism in Wasp specifically for disabling login after a certain number of failed attempts.
Wasp uses Lucia Auth v3 under the hood for session management as mentioned in the Auth Overview documentation, but the provided knowledge sources don't contain information about rate limiting or account locking features.
Since this functionality isn't built into Wasp directly, you would need to implement it yourself. A general approach would be:
1. Add a field to your User entity to track failed login attempts
2. Create custom logic in your authentication flow to increment this counter on failed attempts
3. Reset the counter on successful login
4. Check this counter before allowing login attempts
You might want to check the Lucia Auth v3 documentation (not included in the knowledge sources) to see if it provides any built-in mechanisms for this that you could leverage, since Wasp uses it internally.
If you need more specific guidance, you might want to ask in the Wasp Discord community, as they seem to be quite active in helping with authentication-related questions based on the knowledge sources.
----------------------
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
----------------------
Sorry @Justin Vandenberg, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist:
Perhaps try again in 15mins?
Following up with what I've tried up to this point:
I've tried using the auth hook
onBeforeLogin, but that only seems to fire with a successful login attempt. Is that supposed to be how it functions?
I've also looked into setting up a custom login action, but there doesn't seem to be any documentation on that (similar to the custom signup example).Here's a relevant issue: https://github.com/wasp-lang/wasp/issues/1098
GitHub
Introduce support for rate limiting · Issue #1098 · wasp-lang/wasp
We added a rate limiter dependency in order to limit the signup and password reset actions when using the e-mail and password auth. We can reuse that to introduce a general rate limiting feature th...
The docs say you get rate limiting out of the box for signup
https://wasp.sh/docs/0.11.8/auth/email
@Justin Vandenberg the hook you mentioned fires for all login attempts (successful or otherwise) - you could check the credentials and see if they are correct and count the unsuccessful attempts. I know that's quite cumbersome. We should upgrade our rate limiting approach that would improve the security.
Related issues:
- https://github.com/wasp-lang/wasp/issues/1098
- https://github.com/wasp-lang/wasp/issues/1873
GitHub
Introduce support for rate limiting · Issue #1098 · wasp-lang/wasp
We added a rate limiter dependency in order to limit the signup and password reset actions when using the e-mail and password auth. We can reuse that to introduce a general rate limiting feature th...
GitHub
Add support for CAPTCHA during auth · Issue #1873 · wasp-lang/wasp
It would be a good security measure to add support for CAPTCHAs during login and signup. It would help limit automated actions.
If that's the case I'm experiencing a bug where the auth hooks are only firing after successful attempts. I've created a MRE here - https://github.com/justinvandenberg/wasp-onbeforelogin-hook-example/tree/main
The steps to reproduce are:
1. Clone the repo:
2. Set up database:
3. Run app:
4. Create a user
5. Verify the email using the link in the console
6. Log out (if needed)
7. Log in with incorrect credentials (you won't see
onBeforeLogin hook fired! in the console)
8. Log in with correct credentials (you will see see onBeforeLogin hook fired! in the console)Thanks for the example app! I'll check it out tomorrow 🙂
Thanks!
I've successfully reproduced the behaviour 👍 Based on our impl, the hook should be named
onBeforeSuccessfulLogin - because Wasp validates if email is verified and the checks the password hash for you: https://github.com/wasp-lang/wasp/blob/main/waspc/data/Generator/templates/server/src/auth/providers/email/login.ts#L43
To handle your use case, you'd need to hook into the credentials validation process (does email exist, is it verified, is the password correct).
Could you give me an ideal scenario for you? Forget you are using Wasp, what would be the ideal logic you'd be able to achieve?I guess the ideal scenario would be some type of addition to the configuration object to specify the number of failed attempts allowed and refresh interval on the
auth requests.
Other than that, a hook that would fire before the credentials are verified should suffice. I believe I'd just need access to the email, password, and IP to implement some form of rate limiting.