Raise events for failed login attempts for unknown users

2017-06-05 10:43:57 +02:00
parent 3019d67922
commit 114b58c5ca
3 changed files with 19 additions and 3 deletions
--- a/src/Umbraco.Core/Auditing/IdentityAuditEventArgs.cs
+++ b/src/Umbraco.Core/Auditing/IdentityAuditEventArgs.cs
@@ -14,6 +14,11 @@ namespace Umbraco.Core.Auditing
        public int PerformingUser { get; set; }
        public string Comment { get; set; }

+        /// <summary>
+        /// This property is always empty except in the LoginFailed event for an unknown user trying to login
+        /// </summary>
+        public string Username { get; set; }
+
        public IdentityAuditEventArgs(AuditEvent action, string ipAddress = "", int performingUser = -1)
        {
            DateTimeUtc = DateTime.UtcNow;
--- a/src/Umbraco.Core/Security/BackOfficeUserManager.cs
+++ b/src/Umbraco.Core/Security/BackOfficeUserManager.cs
@@ -386,6 +386,15 @@ namespace Umbraco.Core.Security
            });
        }

+        public void RaiseInvalidLoginAttemptEvent(string username)
+        {
+            OnLoginFailed(new IdentityAuditEventArgs(AuditEvent.LoginFailed)
+            {
+                Username = username,
+                Comment = string.Format("Attempted login for username '{0}' failed", username)
+            });
+        }
+
        /// <summary>
        /// Clears a lock so that the membership user can be validated.
        /// </summary>
--- a/src/Umbraco.Web/Editors/AuthenticationController.cs
+++ b/src/Umbraco.Web/Editors/AuthenticationController.cs
@@ -185,10 +185,12 @@ namespace Umbraco.Web.Editors
                case SignInStatus.LockedOut:
                case SignInStatus.Failure:
                default:
-                    //return BadRequest (400), we don't want to return a 401 because that get's intercepted 
+                    //return BadRequest (400), we don't want to return a 401 because that get's intercepted
                    // by our angular helper because it thinks that we need to re-perform the request once we are
-                    // authorized and we don't want to return a 403 because angular will show a warning msg indicating 
-                    // that the user doesn't have access to perform this function, we just want to return a normal invalid msg.            
+                    // authorized and we don't want to return a 403 because angular will show a warning msg indicating
+                    // that the user doesn't have access to perform this function, we just want to return a normal invalid msg.
+                    if (UserManager != null)
+                        UserManager.RaiseInvalidLoginAttemptEvent(loginModel.Username);
                    throw new HttpResponseException(HttpStatusCode.BadRequest);
            }
        }