From e529818560a1a3dc3c91cbbe708f74dd202a53e8 Mon Sep 17 00:00:00 2001 From: Kenn Jacobsen Date: Fri, 10 Feb 2023 10:56:55 +0100 Subject: [PATCH] Make the default lockout time configurable for users and members (#13808) * Make the default lock timeout configurable for users and members * Update obsoletion to V13 --- .../Configuration/Models/SecuritySettings.cs | 15 +++++++++++++++ .../ConfigureBackOfficeIdentityOptions.cs | 19 ++++++++++++++++--- .../ConfigureMemberIdentityOptions.cs | 3 +-- 3 files changed, 32 insertions(+), 5 deletions(-) diff --git a/src/Umbraco.Core/Configuration/Models/SecuritySettings.cs b/src/Umbraco.Core/Configuration/Models/SecuritySettings.cs index 708f9b98c2..eca2501a63 100644 --- a/src/Umbraco.Core/Configuration/Models/SecuritySettings.cs +++ b/src/Umbraco.Core/Configuration/Models/SecuritySettings.cs @@ -22,6 +22,9 @@ public class SecuritySettings internal const string StaticAllowedUserNameCharacters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._@+\\"; + internal const int StaticMemberDefaultLockoutTimeInMinutes = 30 * 24 * 60; + internal const int StaticUserDefaultLockoutTimeInMinutes = 30 * 24 * 60; + /// /// Gets or sets a value indicating whether to keep the user logged in. /// @@ -86,6 +89,18 @@ public class SecuritySettings [DefaultValue(StaticUserBypassTwoFactorForExternalLogins)] public bool UserBypassTwoFactorForExternalLogins { get; set; } = StaticUserBypassTwoFactorForExternalLogins; + /// + /// Gets or sets a value for how long (in minutes) a member is locked out when a lockout occurs. + /// + [DefaultValue(StaticMemberDefaultLockoutTimeInMinutes)] + public int MemberDefaultLockoutTimeInMinutes { get; set; } = StaticMemberDefaultLockoutTimeInMinutes; + + /// + /// Gets or sets a value for how long (in minutes) a user is locked out when a lockout occurs. + /// + [DefaultValue(StaticUserDefaultLockoutTimeInMinutes)] + public int UserDefaultLockoutTimeInMinutes { get; set; } = StaticUserDefaultLockoutTimeInMinutes; + /// /// Gets or sets a value indicating whether to allow editing invariant properties from a non-default language variation. /// diff --git a/src/Umbraco.Web.BackOffice/Security/ConfigureBackOfficeIdentityOptions.cs b/src/Umbraco.Web.BackOffice/Security/ConfigureBackOfficeIdentityOptions.cs index a480991648..e3f897018a 100644 --- a/src/Umbraco.Web.BackOffice/Security/ConfigureBackOfficeIdentityOptions.cs +++ b/src/Umbraco.Web.BackOffice/Security/ConfigureBackOfficeIdentityOptions.cs @@ -1,8 +1,10 @@ using System.Security.Claims; +using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Options; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Configuration.Models; using Umbraco.Cms.Core.Security; +using Umbraco.Cms.Web.Common.DependencyInjection; using Umbraco.Extensions; namespace Umbraco.Cms.Web.BackOffice.Security; @@ -13,9 +15,21 @@ namespace Umbraco.Cms.Web.BackOffice.Security; public sealed class ConfigureBackOfficeIdentityOptions : IConfigureOptions { private readonly UserPasswordConfigurationSettings _userPasswordConfiguration; + private readonly SecuritySettings _securitySettings; - public ConfigureBackOfficeIdentityOptions(IOptions userPasswordConfiguration) => + [Obsolete("Use the constructor that accepts SecuritySettings. Will be removed in V13.")] + public ConfigureBackOfficeIdentityOptions(IOptions userPasswordConfiguration) + : this(userPasswordConfiguration, StaticServiceProvider.Instance.GetRequiredService>()) + { + } + + public ConfigureBackOfficeIdentityOptions( + IOptions userPasswordConfiguration, + IOptions securitySettings) + { _userPasswordConfiguration = userPasswordConfiguration.Value; + _securitySettings = securitySettings.Value; + } public void Configure(BackOfficeIdentityOptions options) { @@ -31,8 +45,7 @@ public sealed class ConfigureBackOfficeIdentityOptions : IConfigureOptions