Enhanced Login Lockout Client Handling

Author: mckaragoz

samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor

@@ -84,7 +84,21 @@
                             </MudStack>
                             <MudTextField @ref="@_usernameField" @bind-Value="@_username" Variant="Variant.Outlined" Label="Username" Immediate="true" />
                             <MudPasswordField @bind-Value="@_password" Variant="Variant.Outlined" Label="Password" Immediate="true" />
-                            <MudButton Variant="Variant.Filled" Color="Color.Primary" ButtonType="ButtonType.Submit">Login</MudButton>
+                            <MudButton Variant="Variant.Filled" Color="Color.Primary" Disabled="@_isLocked" ButtonType="ButtonType.Submit">Login</MudButton>
+                            @if (_isLocked)
+                            {
+                                <MudAlert NoIcon="true" Severity="Severity.Error" Variant="Variant.Filled">
+                                    <MudStack Row="true" AlignItems="AlignItems.Center" Justify="Justify.SpaceBetween">
+                                        <MudStack Spacing="0">
+                                            <MudText Typo="Typo.subtitle2">Your account is locked.</MudText>
+                                            <MudText Typo="Typo.subtitle2">Try again in </MudText>
+                                        </MudStack>
+                                        <MudProgressCircular Class="mud-theme-error" Value="@_progressPercent" Max="100" Size="Size.Large">
+                                            @_remaining.Minutes.ToString("00"):@_remaining.Seconds.ToString("00")
+                                        </MudProgressCircular>
+                                    </MudStack>
+                                </MudAlert>
+                            }
                         </MudStack>
                     </UAuthLoginForm>
                     <MudAlert Severity="Severity.Info" Variant="Variant.Text" Dense="true">

samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor.cs

@@ -17,6 +17,14 @@ public partial class Login
     private UAuthClientProductInfo? _productInfo;
     private MudTextField<string> _usernameField = default!;
 
+    private DateTimeOffset? _lockoutUntil;
+    private TimeSpan _remaining;
+    private System.Threading.Timer? _countdownTimer;
+    private bool _isLocked;
+    private DateTimeOffset? _lockoutStartedAt;
+    private TimeSpan _lockoutDuration;
+    private double _progressPercent;
+
     [CascadingParameter]
     public UAuthState AuthState { get; set; } = default!;
 
@@ -75,32 +83,119 @@ private async Task ProgrammaticLogin()
 
     protected override void OnAfterRender(bool firstRender)
     {
-        if (firstRender)
+        if (!firstRender)
+            return;
+
+        var uri = Nav.ToAbsoluteUri(Nav.Uri);
+        var query = Microsoft.AspNetCore.WebUtilities.QueryHelpers.ParseQuery(uri.Query);
+
+        if (query.TryGetValue("error", out var error))
         {
-            var uri = Nav.ToAbsoluteUri(Nav.Uri);
-            var query = Microsoft.AspNetCore.WebUtilities.QueryHelpers.ParseQuery(uri.Query);
+            query.TryGetValue("lockedUntil", out var lockedRaw);
+            query.TryGetValue("remainingAttempts", out var remainingRaw);
 
-            if (query.TryGetValue("error", out var error))
-            {
-                ShowLoginError(error.ToString());
-                ClearQueryString();
-            }
+            HandleLoginError(error.ToString(), lockedRaw.ToString(), remainingRaw.ToString());
+
+            ClearQueryString();
         }
     }
 
-    private void ShowLoginError(string code)
+    private void HandleLoginError(string code, string? lockedUntilRaw, string? remainingRaw)
     {
-        var message = code switch
+        if (code == "locked" && long.TryParse(lockedUntilRaw, out var unix))
         {
-            "invalid_credentials" => "Invalid username or password.",
-            "locked" => "Your account is locked.",
-            "mfa_required" => "Multi-factor authentication required.",
-            _ => "Login failed."
-        };
+            _lockoutUntil = DateTimeOffset.FromUnixTimeSeconds(unix);
+            StartCountdown();
+            return;
+        }
+
+        ShowLoginError(code, remainingRaw);
+    }
+
+    private void ShowLoginError(string code, string? remainingRaw)
+    {
+        string message;
+
+        switch (code)
+        {
+            case "invalid_credentials":
+                if (int.TryParse(remainingRaw, out var remaining) && remaining > 0)
+                {
+                    message = $"Invalid username or password. {remaining} attempt(s) remaining.";
+                }
+                else
+                {
+                    message = "Invalid username or password.";
+                }
+                break;
+
+            case "mfa_required":
+                message = "Multi-factor authentication required.";
+                break;
+
+            default:
+                message = "Login failed.";
+                break;
+        }
 
         Snackbar.Add(message, Severity.Error);
     }
 
+    private void StartCountdown()
+    {
+        if (_lockoutUntil is null)
+            return;
+
+        _isLocked = true;
+        _lockoutStartedAt = DateTimeOffset.UtcNow;
+        _lockoutDuration = _lockoutUntil.Value - DateTimeOffset.UtcNow;
+        UpdateRemaining();
+
+        _countdownTimer?.Dispose();
+        _countdownTimer = new System.Threading.Timer(_ =>
+        {
+            InvokeAsync(() =>
+            {
+                UpdateRemaining();
+
+                if (_remaining <= TimeSpan.Zero)
+                {
+                    _countdownTimer?.Dispose();
+                    _isLocked = false;
+                    _lockoutUntil = null;
+                    _progressPercent = 0;
+                }
+
+                StateHasChanged();
+            });
+        }, null, 0, 1000);
+    }
+
+    private void UpdateRemaining()
+    {
+        if (_lockoutUntil is null || _lockoutStartedAt is null)
+            return;
+
+        var now = DateTimeOffset.UtcNow;
+
+        _remaining = _lockoutUntil.Value - now;
+
+        if (_remaining <= TimeSpan.Zero)
+        {
+            _remaining = TimeSpan.Zero;
+            _progressPercent = 0;
+            return;
+        }
+
+        var elapsed = now - _lockoutStartedAt.Value;
+
+        if (_lockoutDuration.TotalSeconds > 0)
+        {
+            var percent = 100 - (elapsed.TotalSeconds / _lockoutDuration.TotalSeconds * 100);
+            _progressPercent = Math.Max(0, percent);
+        }
+    }
+
     private void ClearQueryString()
     {
         var uri = new Uri(Nav.Uri);
@@ -111,5 +206,6 @@ private void ClearQueryString()
     public void Dispose()
     {
         AuthStateProvider.AuthenticationStateChanged -= OnAuthStateChanged;
+        _countdownTimer?.Dispose();
     }
 }

samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Program.cs

@@ -40,6 +40,8 @@
     //o.Session.IdleTimeout = TimeSpan.FromSeconds(15);
     //o.Token.AccessTokenLifetime = TimeSpan.FromSeconds(30);
     //o.Token.RefreshTokenLifetime = TimeSpan.FromSeconds(32);
+    o.Login.MaxFailedAttempts = 1;
+    o.Login.LockoutDuration = TimeSpan.FromSeconds(10);
 })
     .AddUltimateAuthUsersInMemory()
     .AddUltimateAuthUsersReference()

src/CodeBeam.UltimateAuth.Core/Contracts/Login/LoginResult.cs

@@ -10,17 +10,20 @@ public sealed record LoginResult
     public RefreshToken? RefreshToken { get; init; }
     public LoginContinuation? Continuation { get; init; }
     public AuthFailureReason? FailureReason { get; init; }
+    public DateTimeOffset? LockoutUntilUtc { get; init; }
+    public int? RemainingAttempts { get; init; }
 
     public bool IsSuccess => Status == LoginStatus.Success;
     public bool RequiresContinuation => Continuation is not null;
     public bool RequiresMfa => Continuation?.Type == LoginContinuationType.Mfa;
     public bool RequiresPkce => Continuation?.Type == LoginContinuationType.Pkce;
 
-    public static LoginResult Failed(AuthFailureReason? reason = null)
+    public static LoginResult Failed(AuthFailureReason? reason = null, DateTimeOffset? lockoutUntilUtc = null)
         => new()
         {
             Status = LoginStatus.Failed,
-            FailureReason = reason
+            FailureReason = reason,
+            LockoutUntilUtc = lockoutUntilUtc
         };
 
     public static LoginResult Success(AuthSessionId sessionId, AuthTokens? tokens = null)

src/CodeBeam.UltimateAuth.Core/Options/UAuthLoginOptions.cs

@@ -14,13 +14,13 @@ public sealed class UAuthLoginOptions
     public int MaxFailedAttempts { get; set; } = 10;
 
     /// <summary>
-    /// Duration (in minutes) for which the user is locked out after exceeding <see cref="MaxFailedAttempts" />.
+    /// Duration for which the user is locked out after exceeding <see cref="MaxFailedAttempts" />.
     /// </summary>
-    public int LockoutMinutes { get; set; } = 15;
+    public TimeSpan LockoutDuration { get; set; } = TimeSpan.FromMinutes(15);
 
     internal UAuthLoginOptions Clone() => new()
     {
         MaxFailedAttempts = MaxFailedAttempts,
-        LockoutMinutes = LockoutMinutes
+        LockoutDuration = LockoutDuration
     };
 }

src/CodeBeam.UltimateAuth.Core/Options/Validators/UAuthLoginOptionsValidator.cs

@@ -14,7 +14,7 @@ public ValidateOptionsResult Validate(string? name, UAuthLoginOptions options)
         if (options.MaxFailedAttempts > 100)
             errors.Add("Login.MaxFailedAttempts cannot exceed 100. Use 0 to disable lockout.");
 
-        if (options.MaxFailedAttempts > 0 && options.LockoutMinutes <= 0)
+        if (options.MaxFailedAttempts > 0 && options.LockoutDuration <= TimeSpan.Zero)
             errors.Add("Login.LockoutMinutes must be greater than zero when lockout is enabled.");
 
         return errors.Count == 0

src/CodeBeam.UltimateAuth.Server/Auth/Response/EffectiveRedirectResponse.cs

@@ -11,24 +11,30 @@ public sealed class EffectiveRedirectResponse
     public string? FailureQueryKey { get; }
     public IReadOnlyDictionary<AuthFailureReason, string>? FailureCodes { get; }
     public bool AllowReturnUrlOverride { get; }
+    public bool IncludeLockoutTiming { get; }
+    public bool IncludeRemainingAttempts { get; }
 
     public EffectiveRedirectResponse(
         bool enabled,
         string? successPath,
         string? failurePath,
         string? failureQueryKey,
         IReadOnlyDictionary<AuthFailureReason, string>? failureCodes,
-        bool allowReturnUrlOverride)
+        bool allowReturnUrlOverride,
+        bool includeLockoutTiming,
+        bool includeRemainingAttempts)
     {
         Enabled = enabled;
         SuccessPath = successPath;
         FailurePath = failurePath;
         FailureQueryKey = failureQueryKey;
         FailureCodes = failureCodes;
         AllowReturnUrlOverride = allowReturnUrlOverride;
+        IncludeLockoutTiming = includeLockoutTiming;
+        IncludeRemainingAttempts = includeRemainingAttempts;
     }
 
-    public static readonly EffectiveRedirectResponse Disabled = new(false, null, null, null, null, false);
+    public static readonly EffectiveRedirectResponse Disabled = new(false, null, null, null, null, false, false, false);
 
     public static EffectiveRedirectResponse FromLogin(LoginRedirectOptions login)
     => new(
@@ -37,7 +43,9 @@ public static EffectiveRedirectResponse FromLogin(LoginRedirectOptions login)
         login.FailureRedirect,
         login.FailureQueryKey,
         login.FailureCodes,
-        login.AllowReturnUrlOverride
+        login.AllowReturnUrlOverride,
+        login.IncludeLockoutTiming,
+        login.IncludeRemainingAttempts
     );
 
     public static EffectiveRedirectResponse FromLogout(LogoutRedirectOptions logout)
@@ -47,6 +55,8 @@ public static EffectiveRedirectResponse FromLogout(LogoutRedirectOptions logout)
             null,
             null,
             null,
-            logout.AllowReturnUrlOverride
+            logout.AllowReturnUrlOverride,
+            false,
+            false
         );
 }

src/CodeBeam.UltimateAuth.Server/Endpoints/LoginEndpointHandler.cs

@@ -1,11 +1,9 @@
 using CodeBeam.UltimateAuth.Core.Abstractions;
 using CodeBeam.UltimateAuth.Core.Contracts;
 using CodeBeam.UltimateAuth.Core.Domain;
-using CodeBeam.UltimateAuth.Core.Options;
 using CodeBeam.UltimateAuth.Server.Abstractions;
 using CodeBeam.UltimateAuth.Server.Auth;
 using CodeBeam.UltimateAuth.Server.Infrastructure;
-using CodeBeam.UltimateAuth.Server.Options;
 using CodeBeam.UltimateAuth.Server.Services;
 using Microsoft.AspNetCore.Http;
 
@@ -68,7 +66,7 @@ public async Task<IResult> LoginAsync(HttpContext ctx)
 
         if (!result.IsSuccess)
         {
-            var decisionFailure = _redirectResolver.ResolveFailure(authFlow, ctx, result.FailureReason ?? AuthFailureReason.Unknown);
+            var decisionFailure = _redirectResolver.ResolveFailure(authFlow, ctx, result.FailureReason ?? AuthFailureReason.Unknown, result);
 
             return decisionFailure.Enabled
                 ? Results.Redirect(decisionFailure.TargetUrl!)

src/CodeBeam.UltimateAuth.Server/Flows/Login/LoginOrchestrator.cs

@@ -127,6 +127,7 @@ public async Task<LoginResult> LoginAsync(AuthFlowContext flow, LoginRequest req
         };
 
         var decision = _authority.Decide(decisionContext);
+        DateTimeOffset? lockoutUntilUtc = null;
 
         if (candidateUserId is not null)
         {
@@ -138,6 +139,11 @@ public async Task<LoginResult> LoginAsync(AuthFlowContext flow, LoginRequest req
             {
                 var isCurrentlyLocked = securityState?.IsLocked == true && securityState?.LockedUntil is DateTimeOffset until && until > now;
 
+                if (isCurrentlyLocked)
+                {
+                    lockoutUntilUtc = securityState!.LockedUntil;
+                }
+
                 if (!isCurrentlyLocked)
                 {
                     await _securityWriter.RecordFailedLoginAsync(request.Tenant, candidateUserId, now, ct);
@@ -147,16 +153,25 @@ public async Task<LoginResult> LoginAsync(AuthFlowContext flow, LoginRequest req
 
                     if (_options.Login.MaxFailedAttempts > 0 && nextCount >= _options.Login.MaxFailedAttempts)
                     {
-                        var lockedUntil = now.AddMinutes(_options.Login.LockoutMinutes);
+                        var lockedUntil = now.Add(_options.Login.LockoutDuration);
                         await _securityWriter.LockUntilAsync(request.Tenant, candidateUserId, lockedUntil, ct);
+                        lockoutUntilUtc = lockedUntil;
                     }
                 }
 
             }
         }
 
         if (decision.Kind == LoginDecisionKind.Deny)
+        {
+            if (lockoutUntilUtc is not null)
+                return LoginResult.Failed(AuthFailureReason.LockedOut, lockoutUntilUtc);
+
+            if (decision.FailureReason == AuthFailureReason.LockedOut)
+                return LoginResult.Failed(decision.FailureReason, lockoutUntilUtc);
+
             return LoginResult.Failed(decision.FailureReason);
+        }
 
         if (decision.Kind == LoginDecisionKind.Challenge)
         {