Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UserManager.AccessFailedAsync results in overflow if DefaultLockoutTimeSpan is too large #60181

Open
1 task done
bgi-jerry-king opened this issue Feb 3, 2025 · 0 comments
Open
1 task done

UserManager.AccessFailedAsync results in overflow if DefaultLockoutTimeSpan is too large #60181

bgi-jerry-king opened this issue Feb 3, 2025 · 0 comments
Labels
area-identity Includes: Identity and providers

Comments

@bgi-jerry-king
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

When using ASP.NET Identity, under certain conditions, the method UserManager.AccessFailedAsync() fails with an overflow exception if the DefaultLockoutTimeSpan is too large.

An example scenario of where this may occur is, when a call is made to SignInManager<TIdentityUser>.TwoFactorySignInAsync() that results in a failed MFA sign-in, the method UserManager.AccessFailedAsync() will be called.

The problem is this line:

await store.SetLockoutEndDateAsync(user, DateTimeOffset.UtcNow.Add(Options.Lockout.DefaultLockoutTimeSpan),
    CancellationToken).ConfigureAwait(false);

The use-case here is that, the DefaultLockoutTimeSpan was being set to TimeSpan.MaxValue as a way to basically enforce lockouts are not automatically removed as a way to lock an account for investigation of suspicious activity for certain operations - such as entering many invalid MFA codes over and over again.

Expected Behavior

I think this should be more forgiving or have a way to set an indefinite lockout timespan. The only alternative currently available is setting to something large, but arbitrary, such as TimeSpan.FromDays(50000) which just looks worse - if you see 12/31/9999 as an end date, you have an idea that it's basically forever, but if you see 2/4/4737, for example, it doesn't mean anything.

So in UserManager either update the call to something like this:

var now = DateTimeOffset.UtcNow;
DateTimeOffset lockoutEnd = now > DateTimeOffset.MaxValue - Options.Lockout.DefaultLockoutTimeSpan? DateTimeOffset.MaxValue : now.Add(Options.Lockout.DefaultLockoutTimeSpan);

await store.SetLockoutEndDateAsync(user, lockoutEnd,CancellationToken).ConfigureAwait(false);

Or a new option added to specify an endless lockout.

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

.NET 9

Anything else?

No response
@dotnet-issue-labeler dotnet-issue-labeler bot added the area-identity Includes: Identity and providers label Feb 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-identity Includes: Identity and providers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bgi-jerry-king