stages/password: fix failed_attempts_before_cancel allowing one too m… (#6763)

* stages/password: fix failed_attempts_before_cancel allowing one too many tries Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-09-05 21:58:11 +02:00 · 2023-09-05 21:58:11 +02:00 · aa209efa90
parent 7e9e2ec53d
commit aa209efa90
2 changed files with 8 additions and 2 deletions
--- a/authentik/stages/password/stage.py
+++ b/authentik/stages/password/stage.py
@ -111,7 +111,7 @@ class PasswordStageView(ChallengeStageView):
        current_stage: PasswordStage = self.executor.current_stage
        if (
            self.request.session[SESSION_KEY_INVALID_TRIES]
-            > current_stage.failed_attempts_before_cancel
+            >= current_stage.failed_attempts_before_cancel
        ):
            self.logger.debug("User has exceeded maximum tries")
            del self.request.session[SESSION_KEY_INVALID_TRIES]
--- a/authentik/stages/password/tests.py
+++ b/authentik/stages/password/tests.py
@ -108,7 +108,7 @@ class TestPasswordStage(FlowTestCase):
        session[SESSION_KEY_PLAN] = plan
        session.save()

-        for _ in range(self.stage.failed_attempts_before_cancel):
+        for _ in range(self.stage.failed_attempts_before_cancel - 1):
            response = self.client.post(
                reverse(
                    "authentik_api:flow-executor",
@ -118,6 +118,11 @@ class TestPasswordStage(FlowTestCase):
                {"password": self.user.username + "test"},
            )
            self.assertEqual(response.status_code, 200)
+            self.assertStageResponse(
+                response,
+                flow=self.flow,
+                response_errors={"password": [{"string": "Invalid password", "code": "invalid"}]},
+            )

        response = self.client.post(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
@ -127,6 +132,7 @@ class TestPasswordStage(FlowTestCase):
        self.assertEqual(response.status_code, 200)
        # To ensure the plan has been cancelled, check SESSION_KEY_PLAN
        self.assertNotIn(SESSION_KEY_PLAN, self.client.session)
+        self.assertStageResponse(response, flow=self.flow, error_message="Unknown error")

    @patch(
        "authentik.flows.views.executor.to_stage_response",