- Issue created by @Anybody
- 🇮🇳India sakthi_dev
@anybody, found that the watchdog message is handled in core. Can you please create issue in core and add it here as related issue?
- Merge request !44Issue#3441424: Update the logger message with username. → (Open) created by sakthi_dev
- Status changed to Needs review
8 months ago 10:32am 17 April 2024 - 🇮🇳India sakthi_dev
Created a separate log from this module. Please suggest what would be the best way of implementation.
- Status changed to Needs work
8 months ago 12:01pm 17 April 2024 - 🇩🇪Germany Anybody Porta Westfalica
@sakthi_dev great! Where can we find the existing message? Guess we'll have it twice otherwise? Did you test that?
- 🇩🇪Germany Grevil
This is already a feature of the core flood control but is triggered by the "user_limit" config instead of the "ip_limit" config
user_limit:
The allowed number of failed login attempts with one username within the allowed time window.If this limit is reached, the "UserEvents::FLOOD_BLOCKED_USER" event is triggered and the UserFloodSubscriber will log the User as well:
$this->logger->notice('Flood control blocked login attempt for uid %uid from %ip', ['%uid' => $uid, '%ip' => $ip]);
The problem is, that if the "ip_limit" is reached, the code returns early and the handling for the "user_limit" is skipped entirely. Furthermore, from what I understand, the "ip_limit" is more easily reached, as the login attempts will not take the username into account.
But yea, in general the logging should already provide the user ID, I'll do some internal testing.
- 🇩🇪Germany Anybody Porta Westfalica
Here are the sources:
https://git.drupalcode.org/search?search=%22Flood+control+blocked+login+...Precisely:
https://git.drupalcode.org/project/drupal/-/blob/11.x/core/modules/user/...So this needs to be moved to core and totally makes sense to add that information.
- 🇩🇪Germany Grevil
Just had another look with @Anybody. To be precise, we need to check "hasUid()" in the blockedIp() method in "web/core/modules/user/src/EventSubscriber/UserFloodSubscriber.php" and add the user id, if it exists. Afterward, we need to move the account and identifier logic up above the "user.failed_login_ip" isAllowed event call in "validateAuthentication()" of "web/core/modules/user/src/Form/UserLoginForm.php".
And adjust tests accordingly.
- Merge request !7574Issue #3441424: Include uid in flood control "UserEvents::FLOOD_BLOCKED_USER" event to be logged when a IP was blocked → (Open) created by Grevil
- 🇩🇪Germany Anybody Porta Westfalica
Nice! I guess some tests will fail, which check the existing output that will now (hopefully) include the username, if present.
- 🇩🇪Germany Grevil
Ok, this all doesn't seem to work properly yet. I couldn't recreate the failure in the tests, but I also still get the old log message without the uid, so something is not quite as it should be.