mirror of
https://github.com/azaion/admin.git
synced 2026-06-21 14:51:10 +00:00
Oleksandr Bezdieniezhnykh
5224a12589
UserService.ValidateUser calls RegisterSuccessfulLogin on a successful password verify, which resets FailedLoginCount=0 even on the MFA path (the reset happens inside ValidateUser before the MFA branch returns the step-1 token). Seeding the counter before /login was therefore a no-op — the threshold-1 seed was wiped before the wrong-TOTP request got a chance to trip the lockout. Move SetLockoutUntil to AFTER step 1 succeeds in AC1, AC2, AC7. AC7 now also genuinely exercises MfaService's own counter reset on a correct TOTP, instead of being satisfied by the password-success reset. Co-authored-by: Cursor <cursoragent@cursor.com>