mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
56fdc40290
Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats.
40 lines
2.1 KiB
Gherkin
40 lines
2.1 KiB
Gherkin
Feature: Authelia regulates authentication to avoid brute force
|
|
|
|
@needs-test-config
|
|
@need-registered-user-blackhat
|
|
Scenario: Attacker tries too many authentication in a short period of time and get banned
|
|
Given I visit "https://auth.test.local:8080/"
|
|
And I set field "username" to "blackhat"
|
|
And I set field "password" to "bad-password"
|
|
And I click on "Sign in"
|
|
And I get a notification of type "error" with message "Authentication failed. Please check your credentials."
|
|
And I set field "password" to "bad-password"
|
|
And I click on "Sign in"
|
|
And I get a notification of type "error" with message "Authentication failed. Please check your credentials."
|
|
And I set field "password" to "bad-password"
|
|
And I click on "Sign in"
|
|
And I get a notification of type "error" with message "Authentication failed. Please check your credentials."
|
|
When I set field "password" to "password"
|
|
And I click on "Sign in"
|
|
Then I get a notification of type "error" with message "Authentication failed. Please check your credentials."
|
|
|
|
@needs-test-config
|
|
@need-registered-user-blackhat
|
|
Scenario: User is unbanned after a configured amount of time
|
|
Given I visit "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html"
|
|
And I set field "username" to "blackhat"
|
|
And I set field "password" to "bad-password"
|
|
And I click on "Sign in"
|
|
And I get a notification of type "error" with message "Authentication failed. Please check your credentials."
|
|
And I set field "password" to "bad-password"
|
|
And I click on "Sign in"
|
|
And I get a notification of type "error" with message "Authentication failed. Please check your credentials."
|
|
And I set field "password" to "bad-password"
|
|
And I click on "Sign in"
|
|
And I get a notification of type "error" with message "Authentication failed. Please check your credentials."
|
|
When I wait 6 seconds
|
|
And I set field "password" to "password"
|
|
And I click on "Sign in"
|
|
And I use "REGISTERED" as TOTP token handle
|
|
And I click on "TOTP"
|
|
Then I'm redirected to "https://public.test.local:8080/secret.html" |