Re: Bug #6337 Patch - Mailing list pgadmin-hackers

Hi

On Mon, Jul 19, 2021 at 1:22 PM Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

Hi Florian

Following are the review comments:

• The "MAX_LOGIN_ATTEMPTS" parameter is not present in the config.py. It should be there with some default value maybe 3.
• Can be added like

##########################################################################

# MAX_LOGIN_ATTEMPTS which sets the number of failed login attempts that

# are allowed. If this value is exceeded the account is locked and can be

# reset by an administrator. By setting the variable to the value zero

# this feature is deactivated.

##########################################################################

MAX_LOGIN_ATTEMPTS = 3

• I have tested by specifying the above value, and it seems the logic is not correct. I can perform N number of unsuccessful attempts and when I provided the correct password it shows the flash message "Account locked".
• Once the account is locked, the pgAdmin4 server needs to restart, can we make it time-bound? I mean after N minutes user can try again, so no need to restart the pgAdmin4 server. 

Isn't the point that any admin can unlock the account from the user management dialog?

--

Dave Page

VP, Chief Architect, Database Infrastructure
Blog: https://www.enterprisedb.com/dave-page
Twitter: @pgsnake

EDB: https://www.enterprisedb.com