Disable the user account after 10 failed password attempts

pkg/routes/api/v1/login.go

@@ -20,10 +20,8 @@ import (
 	"net/http"
 
 	"code.vikunja.io/api/pkg/db"
-	"code.vikunja.io/api/pkg/log"
 	"code.vikunja.io/api/pkg/models"
 	"code.vikunja.io/api/pkg/modules/auth"
-	"code.vikunja.io/api/pkg/notifications"
 	user2 "code.vikunja.io/api/pkg/user"
 	"code.vikunja.io/web/handler"
 
@@ -59,6 +57,11 @@ func Login(c echo.Context) error {
 		return handler.HandleHTTPError(err, c)
 	}
 
+	if user.Status == user2.StatusDisabled {
+		_ = s.Rollback()
+		return handler.HandleHTTPError(&user2.ErrAccountDisabled{UserID: user.ID}, c)
+	}
+
 	totpEnabled, err := user2.TOTPEnabledForUser(s, user)
 	if err != nil {
 		_ = s.Rollback()
@@ -67,6 +70,7 @@ func Login(c echo.Context) error {
 
 	if totpEnabled {
 		if u.TOTPPasscode == "" {
+			_ = s.Rollback()
 			return handler.HandleHTTPError(user2.ErrInvalidTOTPPasscode{}, c)
 		}
 
@@ -76,12 +80,7 @@ func Login(c echo.Context) error {
 		})
 		if err != nil {
 			if user2.IsErrInvalidTOTPPasscode(err) {
-				log.Errorf("Invalid TOTP credentials provided for user %d", user.ID)
-
-				err2 := notifications.Notify(user, &user2.InvalidTOTPNotification{User: user})
-				if err2 != nil {
-					log.Errorf("Could not send failed TOTP notification to user %d: %s", user.ID, err2)
-				}
+				user2.HandleFailedTOTPAuth(s, user)
 			}
 			_ = s.Rollback()
 			return handler.HandleHTTPError(err, c)