Login attempts not working?

edtorba

4 months ago

1 1

Hi all,

got the following setup for the users' collection:

auth: {
  useAPIKey: true,
  tokenExpiration: 86400, // 24h
  maxLoginAttempts: 3,
  lockTime: 900, // 15min
},

As a test did multiple login attempts via graphql-playground where I got the following message in first 3 attempts:

"message": "The email or password provided is incorrect.",

^ That's ok and as expected.

4th attempt

"message": "This user is locked due to having too many failed login attempts.",

^ Fine.

5th attempt

"message": "The email or password provided is incorrect.",

^ Say whaaaat?

On 6th attempt, I set the correct password and got logged in. However, the expected response would be - a locked account.

Question - is lockTime also defined in seconds (docs don't state in what format) as tokenExpiration? If yes, I guess that's a bug then? If not, what's going wrong?

Version 1.2.0

Thanks.

Selected Answer
edtorba
4 months ago
Turns out it is working just fine...

Annoyingly @ https://payloadcms.com/docs/authentication/config it didn't state that lockTime is defined in ms and I simply assumed that it is seconds as two rows above tokenExpiration is in fact configured in seconds.

Spotted that it is meant to be in ms @ https://payloadcms.com/docs/production/preventing-abuse.

Suggestion for the documentation - maybe it's worth having an additional column(s), e.g. default values, expected units, etc.

Open the post

Continue the discussion in GitHub

Can't find what you're looking for?
Get help straight from the Payload team with an Enterprise License.Learn More