feat: Harden login captcha gate by replacing request-body counter with server-side session counter (UserController::postLogin)

matiasperrone-exo · matiasperrone-exo · commit 8f00f9ca504c · 2026-05-19T14:51:43.000Z
diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
@@ -396,8 +396,8 @@ public function postLogin()
     {
         $max_login_attempts_2_show_captcha = $this->server_configuration_service->getConfigValue("MaxFailed.LoginAttempts.2ShowCaptcha");
         $max_login_failed_attempts = intval($this->server_configuration_service->getConfigValue("MaxFailed.Login.Attempts"));
-        $login_attempts                    = 0;
-        $username                          = '';
+        $login_attempts = (int) Session::get('captcha_failed_attempts', 0);
+        $username = '';
         $user = null;
 
         try
@@ -411,7 +411,6 @@ public function postLogin()
             if (isset($data['password']))
                 $data['password'] = trim($data['password']);
 
-            $login_attempts = intval(Request::input('login_attempts'));
             // Build the validation constraint set.
             $rules = [
                 'username' => 'required|email',
@@ -436,7 +435,10 @@ public function postLogin()
                 $connection = $data['connection'] ?? null;
 
                 try {
+                    $user = $this->auth_service->getUserByUsername($username);
                     if ($flow == "password" && $this->auth_service->login($username, $password, $remember)) {
+                        $user->setLoginFailedAttempt(0);
+                        Session::forget('captcha_failed_attempts');
                         return $this->login_strategy->postLogin();
                     }
 
@@ -468,15 +470,17 @@ public function postLogin()
 
                         $otpClaim = OAuth2OTP::fromParams($username, $connection, $password);
                         $this->auth_service->loginWithOTP($otpClaim, $client);
+                        $user->setLoginFailedAttempt(0);
+                        Session::forget('captcha_failed_attempts');
                         return $this->login_strategy->postLogin();
                     }
                 } catch (AuthenticationException $ex) {
                     // failed login attempt...
 
-                    $user = $this->auth_service->getUserByUsername($username);
-                    if (!is_null($user)) {
-                        $login_attempts = $user->getLoginFailedAttempt();
-                    }
+                    $login_attempts = $user ? $user?->updateLoginFailedAttempt() : $login_attempts + 1;
+                    Session::put('captcha_failed_attempts', $login_attempts);
+
+                    // User.loginFailedAttempt drives account lockout (persisted by auth_service).
 
                     return $this->login_strategy->errorLogin
                     (
diff --git a/resources/js/login/login.js b/resources/js/login/login.js
@@ -185,7 +185,6 @@ const PasswordInputForm = ({
             <input type="hidden" value={userNameValue} id="username" name="username"/>
             <input type="hidden" value={csrfToken} id="_token" name="_token"/>
             <input type="hidden" value="password" id="flow" name="flow"/>
-            <input type="hidden" value={loginAttempts} id="login_attempts" name="login_attempts"/>
             {shouldShowCaptcha() && captchaPublicKey &&
                 <Turnstile
                     className={styles.turnstile}
@@ -271,7 +270,6 @@ const OTPInputForm = ({
                 <input type="hidden" value="otp" id="flow" name="flow"/>
                 <input type="hidden" value={otpCode} id="password" name="password"/>
                 <input type="hidden" value="email" id="connection" name="connection"/>
-                <input type="hidden" value={loginAttempts} id="login_attempts" name="login_attempts"/>
                 {shouldShowCaptcha() && captchaPublicKey &&
                     <Turnstile
                         className={styles.turnstile}
diff --git a/resources/views/auth/login.blade.php b/resources/views/auth/login.blade.php
@@ -62,8 +62,8 @@
             config.maxLoginFailedAttempts = {{Session::get("max_login_failed_attempts")}};
         @endif
 
-        @if(Session::has('login_attempts'))
-            config.loginAttempts = {{Session::get("login_attempts")}};
+        @if(Session::has('captcha_failed_attempts'))
+            config.loginAttempts = {{Session::get("captcha_failed_attempts")}};
         @endif
 
         @if(Session::has('user_is_active'))
diff --git a/tests/UserLoginTurnstileTest.php b/tests/UserLoginTurnstileTest.php
@@ -14,6 +14,7 @@
  **/
 
 use Auth\User;
+use Illuminate\Cookie\CookieValuePrefix;
 use Illuminate\Support\Facades\Session;
 use LaravelDoctrine\ORM\Facades\EntityManager;
 use RyanChandler\LaravelCloudflareTurnstile\Facades\Turnstile;
@@ -22,10 +23,10 @@
  * Class UserLoginTurnstileTest
  *
  * Covers Cloudflare Turnstile integration in UserController::postLogin():
- *  - cf-turnstile-response required when login_attempts (from request body) >= threshold
+ *  - cf-turnstile-response required when captcha_failed_attempts (session) >= threshold
  *  - threshold gating (before / at boundary / above boundary)
- *  - omitted login_attempts field defaults to zero (no captcha required)
- *  - captcha is gated on the request-body counter
+ *  - absent captcha_failed_attempts session key defaults to zero (no captcha required)
+ *  - captcha is gated on the server-side session counter, not request-body input
  *  - login screen emits Turnstile JS config after a failed attempt
  *  - expired or unsolved token is rejected
  */
@@ -59,18 +60,33 @@ private function getTestUser(): User
             ->findOneBy(['identifier' => 'sebastian.marcet']);
     }
 
-    private function postLogin(array $overrides = [])
+    private function postLogin(array $overrides = [], array $sessionData = [])
     {
-        // GET the login page first so the session (and its CSRF token) is established,
-        // mirroring how a real browser submits the form.
-        $this->call('GET', self::LOGIN_URL);
+        // GET establishes the session and CSRF token, mirroring a real browser.
+        $getResponse = $this->call('GET', self::LOGIN_URL);
+
+        // Inject session data after session is established, before the POST reads it.
+        foreach ($sessionData as $key => $value) {
+            $this->app['session']->driver()->put($key, $value);
+        }
+
+        // Persist injected data to the session store so the POST kernel cycle can load it.
+        $this->app['session']->driver()->save();
+
+        // Re-send the session cookie so StartSession loads the same session ID on the POST.
+        $sessionName = $this->app['session']->getName();
+        $sessionId   = $this->app['session']->driver()->getId();
+        $encryptedSessionCookie = encrypt(
+            CookieValuePrefix::create($sessionName, $this->app['encrypter']->getKey()) . $sessionId,
+            false
+        );
 
         return $this->call('POST', self::LOGIN_URL, array_merge([
             'username' => $this->testEmail,
             'password' => $this->testPassword,
             'flow' => 'password',
             '_token' => Session::token(),
-        ], $overrides));
+        ], $overrides), [$sessionName => $encryptedSessionCookie]);
     }
 
     private function fakeTurnstilePass(): void
@@ -101,15 +117,14 @@ private function sessionHasValidationError(string $field): bool
 
     public function testMissingTurnstileResponseFailsValidationWhenAtThreshold(): void
     {
-        $user = $this->getTestUser();
-
-        $this->postLogin([
-            "login_attempts" => self::CAPTCHA_THRESHOLD,
-        ]); // no cf-turnstile-response
+        $this->postLogin(
+            [],  // no cf-turnstile-response
+            ['captcha_failed_attempts' => self::CAPTCHA_THRESHOLD]
+        );
 
         $this->assertTrue(
             $this->sessionHasValidationError('cf-turnstile-response'),
-            'Expected a validation error for cf-turnstile-response when user is at threshold'
+            'Expected a validation error for cf-turnstile-response when session counter is at threshold'
         );
     }
 
@@ -119,47 +134,43 @@ public function testMissingTurnstileResponseFailsValidationWhenAtThreshold(): vo
 
     public function testLoginBelowThresholdDoesNotRequireTurnstile(): void
     {
-        $user = $this->getTestUser();
-
-        $this->postLogin([
-            'login_attempts' => self::CAPTCHA_THRESHOLD - 1
-        ]); // correct credentials, no captcha token
+        $this->postLogin(
+            [],
+            ['captcha_failed_attempts' => self::CAPTCHA_THRESHOLD - 1]
+        );
 
         $this->assertFalse(
             $this->sessionHasValidationError('cf-turnstile-response'),
-            'Turnstile must not be required when login attempts are below threshold'
+            'Turnstile must not be required when session counter is below threshold'
         );
     }
 
     public function testLoginAtThresholdWithValidTokenPassesValidation(): void
     {
-        $user = $this->getTestUser();
-
         $this->fakeTurnstilePass();
 
-        $this->postLogin([
-            'cf-turnstile-response' => 'dummy-token-accepted-by-mock',
-            'login_attempts' => self::CAPTCHA_THRESHOLD
-        ]);
+        $this->postLogin(
+            ['cf-turnstile-response' => 'dummy-token-accepted-by-mock'],
+            ['captcha_failed_attempts' => self::CAPTCHA_THRESHOLD]
+        );
 
         $this->assertFalse(
             $this->sessionHasValidationError('cf-turnstile-response'),
             'A valid Turnstile token must clear the captcha validation rule'
         );
     }
 
-    public function testOmittedLoginAttemptsFieldDefaultsToZeroNoCaptchaRequired(): void
+    public function testAbsentSessionCounterDefaultsToZeroNoCaptchaRequired(): void
     {
-        // No login_attempts key posted → intval(null) = 0 → below threshold →
-        // captcha rule is never added to the validator.
+        // No captcha_failed_attempts in session → defaults to 0 → below threshold.
         $this->postLogin([
             'username' => 'nobody@doesnotexist.example',
             'password' => 'irrelevant',
         ]);
 
         $this->assertFalse(
             $this->sessionHasValidationError('cf-turnstile-response'),
-            'Turnstile must not be required when login_attempts is absent from the request'
+            'Turnstile must not be required when captcha_failed_attempts is absent from session'
         );
     }
 
@@ -169,22 +180,17 @@ public function testOmittedLoginAttemptsFieldDefaultsToZeroNoCaptchaRequired():
 
     public function testLoginScreenIncludesTurnstileConfigWhenAboveThreshold(): void
     {
-        $user = $this->getTestUser();
-
-        // Place user one below threshold; the wrong-password attempt crosses it.
-        $this->postLogin([
-            'password' => 'wrong-password',
-            'login_attempts' => self::CAPTCHA_THRESHOLD - 1
-        ]);
+        // Session counter one below threshold; the wrong-password attempt crosses it.
+        $this->postLogin(
+            ['password' => 'wrong-password'],
+            ['captcha_failed_attempts' => self::CAPTCHA_THRESHOLD - 1]
+        );
 
-        // errorLogin() flashes max_login_attempts_2_show_captcha into the session;
+        // errorLogin() flashes captcha_failed_attempts (updated session counter) into the session;
         // following the redirect renders login.blade.php which emits those values.
         $html = $this->call('GET', self::LOGIN_URL)->getContent();
 
-        // captchaPublicKey is always rendered (login.blade.php, not conditional)
         $this->assertStringContainsString('captchaPublicKey', $html);
-
-        // maxLoginAttempts2ShowCaptcha is emitted when the session key is set
         $this->assertStringContainsString('maxLoginAttempts2ShowCaptcha', $html);
     }
 
@@ -194,15 +200,12 @@ public function testLoginScreenIncludesTurnstileConfigWhenAboveThreshold(): void
 
     public function testExpiredTurnstileTokenFailsValidation(): void
     {
-        $user = $this->getTestUser();
-
-        // Cloudflare API returns success=false (expired / already-used token)
         $this->fakeTurnstileFail();
 
-        $this->postLogin([
-            'cf-turnstile-response' => 'expired-or-invalid-token',
-            'login_attempts' => self::CAPTCHA_THRESHOLD
-        ]);
+        $this->postLogin(
+            ['cf-turnstile-response' => 'expired-or-invalid-token'],
+            ['captcha_failed_attempts' => self::CAPTCHA_THRESHOLD]
+        );
 
         $this->assertTrue(
             $this->sessionHasValidationError('cf-turnstile-response'),
@@ -212,17 +215,74 @@ public function testExpiredTurnstileTokenFailsValidation(): void
 
     public function testUnsolvedCaptchaEmptyTokenFailsValidation(): void
     {
-        $user = $this->getTestUser();
-
-        // Empty string triggers the 'required' rule before any Cloudflare call
-        $this->postLogin([
-            'cf-turnstile-response' => '',
-            'login_attempts' => self::CAPTCHA_THRESHOLD
-        ]);
+        $this->postLogin(
+            ['cf-turnstile-response' => ''],
+            ['captcha_failed_attempts' => self::CAPTCHA_THRESHOLD]
+        );
 
         $this->assertTrue(
             $this->sessionHasValidationError('cf-turnstile-response'),
             'An empty Turnstile response must be rejected by the required rule'
         );
     }
+
+    // -------------------------------------------------------------------------
+    // 6. Request-body login_attempts is ignored; only session counter matters
+    // -------------------------------------------------------------------------
+
+    public function testRequestSuppliedLoginAttemptsIsIgnored(): void
+    {
+        // Session counter is at threshold but the POST body claims login_attempts=0.
+        // The captcha gate must still fire because the server ignores the body field.
+        $this->postLogin(
+            ['login_attempts' => 0],  // attacker-supplied body value: below threshold
+            ['captcha_failed_attempts' => self::CAPTCHA_THRESHOLD]  // server session: at threshold
+        );
+
+        $this->assertTrue(
+            $this->sessionHasValidationError('cf-turnstile-response'),
+            'cf-turnstile-response must be required based on the session counter, not the request body'
+        );
+    }
+
+    // -------------------------------------------------------------------------
+    // 7. Enumeration safety: captcha fires for non-existent users too
+    // -------------------------------------------------------------------------
+
+    public function testCaptchaRequiredForUnknownUsernameWhenSessionAtThreshold(): void
+    {
+        // A non-existent username must still require captcha when the session counter
+        // is at threshold — no oracle for whether the account exists.
+        $this->postLogin(
+            [
+                'username' => 'nobody@doesnotexist.example',
+                'password' => 'irrelevant',
+            ],
+            ['captcha_failed_attempts' => self::CAPTCHA_THRESHOLD]
+        );
+
+        $this->assertTrue(
+            $this->sessionHasValidationError('cf-turnstile-response'),
+            'cf-turnstile-response must be required for non-existent users when session counter is at threshold'
+        );
+    }
+
+    // -------------------------------------------------------------------------
+    // 8. Successful login resets the session counter
+    // -------------------------------------------------------------------------
+
+    public function testSuccessfulLoginClearsSessionCounter(): void
+    {
+        $this->fakeTurnstilePass();
+
+        $this->postLogin(
+            ['cf-turnstile-response' => 'valid-token'],
+            ['captcha_failed_attempts' => self::CAPTCHA_THRESHOLD]
+        );
+
+        $this->assertNull(
+            $this->app['session']->driver()->get('captcha_failed_attempts'),
+            'captcha_failed_attempts must be removed from session after a successful login'
+        );
+    }
 }
