Merge pull request #17454 from craftcms/bugfix/17445-max-invalid-logins-passkeys-and-2fa

bugfix/17445 2fa, passkeys and `maxInvalidLogins`

Author: brandonkelly

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## Unreleased
 
 - Added `craft\fields\linktypes\BaseLinkType::isValueEmpty()`.
+- Added `craft\services\Auth::getAuthErrorMessage()`.
 - Added `craft\services\ElementSources::sourceExists()`.
 - Added new icons. ([#17441](https://github.com/craftcms/cms/pull/17441))
 - Updated yii2-debug to 2.1.27. ([#17115](https://github.com/craftcms/cms/issues/17115))
@@ -12,6 +13,7 @@
 - Fixed a bug where entries that were pasted within a Matrix field were losing custom field translations for other sites. ([17414](https://github.com/craftcms/cms/issues/17414))
 - Fixed a bug where Matrix fields’ chips were getting “Copy all entries” actions. ([#17404](https://github.com/craftcms/cms/issues/17404))
 - Fixed a bug where Link fields were validating if a deleted element was selected. ([#17409](https://github.com/craftcms/cms/issues/17409))
+- Users’ maximum invalid login counts now factor in invalid two-step verification attempts. ([#17454](https://github.com/craftcms/cms/pull/17454))
 
 ## 5.7.10 - 2025-06-04
 

src/controllers/AuthController.php

@@ -136,9 +136,10 @@ public function actionVerifyTotp(): Response
         $this->requireAcceptsJson();
 
         $code = $this->request->getRequiredBodyParam('code');
+        $authService = Craft::$app->getAuth();
 
-        if (!Craft::$app->getAuth()->verify(TOTP::class, $code)) {
-            return $this->asFailure(Craft::t('app', 'Invalid verification code.'));
+        if (!$authService->verify(TOTP::class, $code)) {
+            return $this->asFailure($authService->getAuthErrorMessage());
         }
 
         return $this->asSuccess(Craft::t('app', 'Verification successful.'));
@@ -155,9 +156,10 @@ public function actionVerifyRecoveryCode(): Response
         $this->requireAcceptsJson();
 
         $code = $this->request->getRequiredBodyParam('code');
+        $authService = Craft::$app->getAuth();
 
-        if (!Craft::$app->getAuth()->verify(RecoveryCodes::class, $code)) {
-            return $this->asFailure(Craft::t('app', 'Invalid recovery code.'));
+        if (!$authService->verify(RecoveryCodes::class, $code)) {
+            return $this->asFailure($authService->getAuthErrorMessage(Craft::t('app', 'Invalid recovery code.')));
         }
 
         return $this->asSuccess(Craft::t('app', 'Verification successful.'));

src/elements/User.php

@@ -1333,6 +1333,23 @@ public function validateAuthKey($authKey): ?bool
         return true;
     }
 
+    /**
+     * Handles an invalid login for a user and sets the authError param.
+     *
+     * @return void
+     */
+    public function handleInvalidLoginParam(): void
+    {
+        Craft::$app->getUsers()->handleInvalidLogin($this);
+        // Was that one bad password/2fa code/passkey too many?
+        if ($this->locked && !Craft::$app->getConfig()->getGeneral()->preventUserEnumeration) {
+            // Will set the authError to either AccountCooldown or AccountLocked
+            $this->authError = $this->_getAuthError();
+        } else {
+            $this->authError = self::AUTH_INVALID_CREDENTIALS;
+        }
+    }
+
     /**
      * Determines whether the user is allowed to be logged in with a given password.
      *
@@ -1363,14 +1380,7 @@ public function authenticate(string $password): bool
         }
 
         if (!$passwordValid) {
-            Craft::$app->getUsers()->handleInvalidLogin($this);
-            // Was that one bad password too many?
-            if ($this->locked && !Craft::$app->getConfig()->getGeneral()->preventUserEnumeration) {
-                // Will set the authError to either AccountCooldown or AccountLocked
-                $this->authError = $this->_getAuthError();
-            } else {
-                $this->authError = self::AUTH_INVALID_CREDENTIALS;
-            }
+            $this->handleInvalidLoginParam();
             return false;
         }
 
@@ -1421,7 +1431,7 @@ public function authenticateWithPasskey(
         }
 
         if (!$keyValid) {
-            $this->authError = self::AUTH_INVALID_CREDENTIALS;
+            $this->handleInvalidLoginParam();
             return false;
         }
 

src/services/Auth.php

@@ -21,6 +21,7 @@
 use craft\helpers\DateTimeHelper;
 use craft\helpers\Json;
 use craft\helpers\Session as SessionHelper;
+use craft\helpers\User as UserHelper;
 use craft\models\UserGroup;
 use craft\records\WebAuthn as WebAuthnRecord;
 use craft\web\Session;
@@ -204,6 +205,7 @@ public function verify(string $methodClass, mixed ...$args): bool
         $user = $this->getUser($sessionDuration);
 
         if (!$this->getMethod($methodClass, $user)->verify(...$args)) {
+            $user?->handleInvalidLoginParam();
             return false;
         }
 
@@ -224,6 +226,33 @@ public function verify(string $methodClass, mixed ...$args): bool
         return true;
     }
 
+    /**
+     * Returns an authentication error message based on the authentication error value.
+     * If a default message was passed and the authentication error value is for invalid credentials,
+     * that default message will be used.
+     *
+     * @param string|null $defaultMessage
+     * @return string
+     * @since 5.7.11
+     */
+    public function getAuthErrorMessage(?string $defaultMessage = null): string
+    {
+        $user = $this->getUser();
+        $authError = null;
+        if ($user) {
+            $authError = UserHelper::getAuthStatus($user);
+        }
+        if ($authError == User::AUTH_INVALID_CREDENTIALS || !$authError) {
+            if ($defaultMessage) {
+                return $defaultMessage;
+            }
+
+            return Craft::t('app', 'Invalid verification code.');
+        }
+
+        return UserHelper::getLoginFailureMessage($authError, $user);
+    }
+
     /**
      * Returns all available user authentication methods.
      *