Lockout lock fix #4453
Lockout lock fix #4453
Conversation
🎉 Snyk checks have passed. No issues have been found so far.✅ security/snyk check is complete. No issues have been found. (View Details) |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Greptile Summary
This PR implements a distributed locking mechanism to fix race conditions in the identity universal authentication lockout system. The changes add a new Redis key prefix IdentityLockoutLock to the keystore infrastructure and modify the login service to use proper locking during authentication attempts.
The core functionality revolves around preventing concurrent authentication attempts from bypassing lockout protections. When multiple login requests arrive simultaneously for the same identity, they could previously read and modify the lockout counter concurrently, potentially allowing attackers to circumvent account lockout mechanisms. The solution uses Redis-based distributed locks (via Redlock) to ensure only one authentication attempt per identity can be processed at a time.
The implementation adds a new keystore prefix function that generates unique lock keys based on a lockout identifier, following the established pattern in the codebase. In the authentication service, the logic now acquires a lock before checking lockout status, implements proper lockout tracking with failed attempt counting and automatic expiry, and ensures lock cleanup in a finally block to prevent deadlocks.
Additionally, the PR increases the Node.js memory allocation for TypeScript type checking from default to 8GB, standardizing it with other development scripts to prevent out-of-memory errors during compilation of the large codebase. The authentication error messaging is also improved to use generic 'Invalid credentials' responses, preventing information disclosure about identity existence.
Confidence score: 4/5
- This PR addresses a critical security vulnerability with a well-implemented solution using established patterns
- Score reflects solid implementation but lockout logic complexity and potential edge cases around lock timeouts require attention
- Pay close attention to the lockout logic in identity-ua-service.ts and verify the lock timeout handling
Context used:
Context - Follow a specific logging pattern for easier querying in cloud services, such as including the username in the format '[username=${username}]'. (link)
3 files reviewed, 2 comments
Large diff is from putting most of the function in a try-catch