mirror of
https://github.com/azaion/admin.git
synced 2026-06-21 08:11:08 +00:00
Oleksandr Bezdieniezhnykh
5224a12589
UserService.ValidateUser calls RegisterSuccessfulLogin on a successful password verify, which resets FailedLoginCount=0 even on the MFA path (the reset happens inside ValidateUser before the MFA branch returns the step-1 token). Seeding the counter before /login was therefore a no-op — the threshold-1 seed was wiped before the wrong-TOTP request got a chance to trip the lockout. Move SetLockoutUntil to AFTER step 1 succeeds in AC1, AC2, AC7. AC7 now also genuinely exercises MfaService's own counter reset on a correct TOTP, instead of being satisfied by the password-success reset. Co-authored-by: Cursor <cursoragent@cursor.com>
324 B
324 B
Autodev State
Current Step
flow: existing-code step: 11 name: Run Tests status: in_progress sub_step: phase: 2 name: run detail: "scripts/run-tests.sh (docker-compose, ~6 min)" leftovers_to_replay: - _docs/_process_leftovers/2026-05-14_suite_infra_jwt_secret_drift.md retry_count: 0 cycle: 2 tracker: jira