Merge pull request #683 from umbraco/U4-6603

U4-6603 Log failed login attempts
2015-05-11 09:07:24 +10:00
parent 2a9d3df822 c34605937c
commit 2c92cd9ca9
1 changed files with 26 additions and 6 deletions
--- a/src/Umbraco.Web/Editors/AuthenticationController.cs
+++ b/src/Umbraco.Web/Editors/AuthenticationController.cs
@@ -21,6 +21,7 @@ using Umbraco.Web.Security;
 using Umbraco.Web.WebApi;
 using Umbraco.Web.WebApi.Filters;
 using umbraco.providers;
+using Umbraco.Core.Logging;

 namespace Umbraco.Web.Editors
 {
@@ -102,23 +103,25 @@ namespace Umbraco.Web.Editors
        [SetAngularAntiForgeryTokens]
        public UserDetail PostLogin(LoginModel loginModel)
        {
+            var http = this.TryGetHttpContext();
+            if (http.Success == false)
+                throw new InvalidOperationException("This method requires that an HttpContext be active");
+
+            var ipAddress = GetIPAddress(http.Result);
+
            if (UmbracoContext.Security.ValidateBackOfficeCredentials(loginModel.Username, loginModel.Password))
            {
                var user = Security.GetBackOfficeUser(loginModel.Username);

                //TODO: Clean up the int cast!
                var ticket = UmbracoContext.Security.PerformLogin(user);
-
-                var http = this.TryGetHttpContext();
-                if (http.Success == false)
-                {
-                    throw new InvalidOperationException("This method requires that an HttpContext be active");
-                }
                http.Result.AuthenticateCurrentRequest(ticket, false);

                var result = Mapper.Map<UserDetail>(user);
                //set their remaining seconds
                result.SecondsUntilTimeout = ticket.GetRemainingAuthSeconds();
+                
+                LogHelper.Info<AuthenticationController>(string.Format("Login attempt succeeded for username {0} from IP address {1}", loginModel.Username, ipAddress));
                return result;
            }

@@ -126,6 +129,8 @@ namespace Umbraco.Web.Editors
            // by our angular helper because it thinks that we need to re-perform the request once we are
            // authorized and we don't want to return a 403 because angular will show a warning msg indicating 
            // that the user doesn't have access to perform this function, we just want to return a normal invalid msg.
+            
+            LogHelper.Info<AuthenticationController>(string.Format("Login attempt failed for username {0} from IP address {1}", loginModel.Username, ipAddress));
            throw new HttpResponseException(HttpStatusCode.BadRequest);
        }

@@ -141,5 +146,20 @@ namespace Umbraco.Web.Editors
        {           
            return Request.CreateResponse(HttpStatusCode.OK);
        }
+
+        // From: http://stackoverflow.com/a/740431/5018
+        protected string GetIPAddress(HttpContextBase httpContext)
+        {
+            var ipAddress = httpContext.Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
+
+            if (string.IsNullOrEmpty(ipAddress)) 
+                return httpContext.Request.ServerVariables["REMOTE_ADDR"];
+
+            var addresses = ipAddress.Split(',');
+            if (addresses.Length != 0)
+                return addresses[0];
+
+            return httpContext.Request.ServerVariables["REMOTE_ADDR"];
+        }
    }
 }