Hi all,
got the following setup for the users' collection:
auth: {
useAPIKey: true,
tokenExpiration: 86400, // 24h
maxLoginAttempts: 3,
lockTime: 900, // 15min
},
As a test did multiple login attempts via graphql-playground where I got the following message in first 3 attempts:
"message": "The email or password provided is incorrect.",
^ That's ok and as expected.
4th attempt
"message": "This user is locked due to having too many failed login attempts.",
^ Fine.
5th attempt
"message": "The email or password provided is incorrect.",
^ Say whaaaat?
On 6th attempt, I set the correct password and got logged in. However, the expected response would be - a locked account.
Question - is lockTime
also defined in seconds (docs don't state in what format) as tokenExpiration
? If yes, I guess that's a bug then? If not, what's going wrong?
Version 1.2.0
Thanks.
Turns out it is working just fine...
Annoyingly @ https://payloadcms.com/docs/authentication/config it didn't state that lockTime
is defined in ms and I simply assumed that it is seconds as two rows above tokenExpiration
is in fact configured in seconds.
Spotted that it is meant to be in ms @ https://payloadcms.com/docs/production/preventing-abuse.
Suggestion for the documentation - maybe it's worth having an additional column(s), e.g. default values, expected units, etc.
Star
Discord
online
Get help straight from the Payload team with an Enterprise License.