You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This plan addresses a security gap where login protection is bypassed when using email addresses for login, and improves the IP whitelist to support CIDR ranges.
User Review Required
Important
The fix for email-based login protection will now block failed login attempts against a specific email address, which was previously missing. This enhances security but may change behavior for users who frequently mistype their passwords when logging in with email.
Proposed Changes
Authentication Logic
[MODIFY] restrictLoginAttempts.ts
Update isValidAttemptByUser to extract either username or email from login.methodArguments[0].user.
Update saveFailedLoginAttempts to capture the email if username is unavailable in the method arguments.
Import isIpInCidrRange from @rocket.chat/server-fetch to support CIDR matching in isValidLoginAttemptByIp.
Verification Plan
Automated Tests
I will create or update unit tests for restrictLoginAttempts.ts to verify:
Failed logins with email are correctly blocked after the threshold.
CIDR ranges in the whitelist correctly allow access.
Manual Verification
I'll simulate failed login attempts using the LoginProtection logger to verify that the correct identifiers are being processed.
This plan addresses a security gap where login protection is bypassed when using email addresses for login, and improves the IP whitelist to support CIDR ranges.
User Review Required
Important
The fix for email-based login protection will now block failed login attempts against a specific email address, which was previously missing. This enhances security but may change behavior for users who frequently mistype their passwords when logging in with email.
Proposed Changes
Authentication Logic
[MODIFY] restrictLoginAttempts.ts
isValidAttemptByUserto extract eitherusernameoremailfromlogin.methodArguments[0].user.saveFailedLoginAttemptsto capture theemailifusernameis unavailable in the method arguments.isIpInCidrRangefrom@rocket.chat/server-fetchto support CIDR matching inisValidLoginAttemptByIp.Verification Plan
Automated Tests
restrictLoginAttempts.tsto verify:Manual Verification
LoginProtectionlogger to verify that the correct identifiers are being processed.