fix: fallback to password login when mfa needs captcha#12438
fix: fallback to password login when mfa needs captcha#12438wanghe-fit2cloud merged 1 commit intodev-v2from
Conversation
|
Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d8b1b772eb
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| go saveLoginLogs(c, wrapLoginErr(msgKey, err)) | ||
| if msgKey == "ErrMFA" { | ||
| global.IPTracker.RecordFailure(ip) | ||
| failures := initauth.GetMFASessionStore().RecordFailure(req.SessionID) |
There was a problem hiding this comment.
This now increments the MFA session failure counter for every ErrMFA response, but ErrMFA is also returned when the session is missing or the request IP does not match (AuthService.MFALogin checks those before code validation). As a result, retries from a changed client IP (or any caller holding a valid session ID) can consume failure budget without ever submitting a wrong OTP, eventually deleting the session and forcing captcha fallback. Please gate RecordFailure to the actual invalid-code path (or return a distinct error for non-code MFA failures).
Useful? React with 👍 / 👎.
3 participants
No description provided.