Skip to content

Auth fixes#640

Merged
MarcelGeo merged 6 commits into
developfrom
auth_fixes
Jul 1, 2026
Merged

Auth fixes#640
MarcelGeo merged 6 commits into
developfrom
auth_fixes

Conversation

@varmar05

Copy link
Copy Markdown
Collaborator
  • Session cookie gap fix: load_user now only returns active users; @auth_required checks is_active
  • Bcrypt lazy rehash: configurable BCRYPT_LOG_ROUNDS, passwords rehashed on next login if rounds differ
  • Account lockout: progressive tiers via LOCKOUT_POLICY env var, 423 response with AccountLockedError + added db migration: new failed_login_attempts and locked_until columns added

varmar05 added 3 commits June 17, 2026 15:07
 - `load_user` now returns None for inactive users, so their session cookies are rejected by Flask-Login
 - @auth_required adds `is_active` check
 - anonymize() now explicitly sets active=False for defence-in-depth
Existing passwords will be rehashed organically if needed.
@varmar05 varmar05 requested a review from MarcelGeo June 17, 2026 13:11
@coveralls

Copy link
Copy Markdown

Coverage Report for CI Build 27823802673

Coverage increased (+0.006%) to 92.162%

Details

  • Coverage increased (+0.006%) from the base build.
  • Patch coverage: 10 uncovered changes across 3 files (132 of 142 lines covered, 92.96%).
  • 1 coverage regression across 1 file.

Uncovered Changes

File Changed Covered %
server/mergin/auth/controller.py 13 9 69.23%
server/mergin/app.py 3 0 0.0%
server/mergin/auth/models.py 40 37 92.5%
Total (7 files) 142 132 92.96%

Coverage Regressions

1 previously-covered line in 1 file lost coverage.

File Lines Losing Coverage Coverage
server/mergin/auth/app.py 1 96.77%

Coverage Stats

Coverage Status
Relevant Lines: 10156
Covered Lines: 9360
Line Coverage: 92.16%
Coverage Strength: 0.92 hits per line

💛 - Coveralls

@MarcelGeo MarcelGeo requested a review from harminius June 23, 2026 07:21

@harminius harminius left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good 🛡️

Comment thread server/mergin/auth/models.py Outdated
Comment thread server/mergin/auth/errors.py Outdated
Comment thread server/mergin/auth/models.py Outdated

@MarcelGeo MarcelGeo left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need something to do in FE/clients/mobile - login attempts logic? @tomasMizera

@varmar05 We didn't implemented ip reputation in this mechanism -> There could be case when somebody can lock another account which he knows by email or accidentally similar emails can block each together. This could be probably handled by infra rate limiting - needs to discuss what values to adjust for current nginx config files in this repository - could be upgraded also nginx proxy.

Flask limiter wouldn't do the same job as database locking - probably issue with redis backend again.

Comment thread server/mergin/auth/controller.py Outdated
Comment thread server/mergin/auth/app.py
Comment thread server/mergin/auth/models.py Outdated
@MarcelGeo MarcelGeo merged commit 8efd371 into develop Jul 1, 2026
5 checks passed
@MarcelGeo MarcelGeo deleted the auth_fixes branch July 1, 2026 13:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants