feat: Harden login captcha gate by replacing request-body counter with server-side session counter (UserController::postLogin)

Author: matiasperrone-exo

app/Http/Controllers/UserController.php

@@ -13,6 +13,7 @@
  **/
 
 use App\Http\Controllers\OpenId\DiscoveryController;
+use LaravelDoctrine\ORM\Facades\EntityManager;
 use RyanChandler\LaravelCloudflareTurnstile\Rules\Turnstile;
 use App\Jobs\RevokeUserGrantsOnExplicitLogout;
 use App\Http\Controllers\OpenId\OpenIdController;
@@ -396,8 +397,8 @@ public function postLogin()
     {
         $max_login_attempts_2_show_captcha = $this->server_configuration_service->getConfigValue("MaxFailed.LoginAttempts.2ShowCaptcha");
         $max_login_failed_attempts = intval($this->server_configuration_service->getConfigValue("MaxFailed.Login.Attempts"));
-        $login_attempts                    = 0;
-        $username                          = '';
+        $login_attempts = (int) Session::get('captcha_failed_attempts', 0);
+        $username = '';
         $user = null;
 
         try
@@ -411,7 +412,6 @@ public function postLogin()
             if (isset($data['password']))
                 $data['password'] = trim($data['password']);
 
-            $login_attempts = intval(Request::input('login_attempts'));
             // Build the validation constraint set.
             $rules = [
                 'username' => 'required|email',
@@ -436,7 +436,15 @@ public function postLogin()
                 $connection = $data['connection'] ?? null;
 
                 try {
+                    $user = $this->auth_service->getUserByUsername($username);
                     if ($flow == "password" && $this->auth_service->login($username, $password, $remember)) {
+                        if ($user)
+                        {
+                            $user->setLoginFailedAttempt(0);
+                            EntityManager::flush();
+                        }
+                        Session::forget('captcha_failed_attempts');
+                        Session::save();
                         return $this->login_strategy->postLogin();
                     }
 
@@ -468,15 +476,23 @@ public function postLogin()
 
                         $otpClaim = OAuth2OTP::fromParams($username, $connection, $password);
                         $this->auth_service->loginWithOTP($otpClaim, $client);
+                        if ($user)
+                        {
+                            $user->setLoginFailedAttempt(0);
+                            EntityManager::flush();
+                        }
+                        Session::forget('captcha_failed_attempts');
+                        Session::save();
                         return $this->login_strategy->postLogin();
                     }
                 } catch (AuthenticationException $ex) {
                     // failed login attempt...
 
-                    $user = $this->auth_service->getUserByUsername($username);
-                    if (!is_null($user)) {
-                        $login_attempts = $user->getLoginFailedAttempt();
-                    }
+                    $login_attempts = $user ? $user->updateLoginFailedAttempt() : $login_attempts + 1;
+                    Session::put('captcha_failed_attempts', $login_attempts);
+                    Session::save();
+
+                    // User.loginFailedAttempt drives account lockout (persisted by auth_service).
 
                     return $this->login_strategy->errorLogin
                     (
@@ -525,6 +541,9 @@ public function postLogin()
             Log::warning($ex1);
 
             $user = $this->auth_service->getUserByUsername($username);
+            $login_attempts = $user ? $user->updateLoginFailedAttempt() : $login_attempts + 1;
+            Session::put('captcha_failed_attempts', $login_attempts);
+            Session::save();
 
             $response_data =    [
                 'max_login_attempts_2_show_captcha' => $max_login_attempts_2_show_captcha,

resources/js/login/login.js

@@ -185,7 +185,6 @@ const PasswordInputForm = ({
             <input type="hidden" value={userNameValue} id="username" name="username"/>
             <input type="hidden" value={csrfToken} id="_token" name="_token"/>
             <input type="hidden" value="password" id="flow" name="flow"/>
-            <input type="hidden" value={loginAttempts} id="login_attempts" name="login_attempts"/>
             {shouldShowCaptcha() && captchaPublicKey &&
                 <Turnstile
                     className={styles.turnstile}
@@ -271,7 +270,6 @@ const OTPInputForm = ({
                 <input type="hidden" value="otp" id="flow" name="flow"/>
                 <input type="hidden" value={otpCode} id="password" name="password"/>
                 <input type="hidden" value="email" id="connection" name="connection"/>
-                <input type="hidden" value={loginAttempts} id="login_attempts" name="login_attempts"/>
                 {shouldShowCaptcha() && captchaPublicKey &&
                     <Turnstile
                         className={styles.turnstile}

resources/views/auth/login.blade.php

@@ -62,8 +62,8 @@
             config.maxLoginFailedAttempts = {{Session::get("max_login_failed_attempts")}};
         @endif
 
-        @if(Session::has('login_attempts'))
-            config.loginAttempts = {{Session::get("login_attempts")}};
+        @if(Session::has('captcha_failed_attempts'))
+            config.loginAttempts = {{Session::get("captcha_failed_attempts")}};
         @endif
 
         @if(Session::has('user_is_active'))