Feature request: Parse User Account lockout policy setting

[cherukumilli]

@flovilmart @drew-gross

Currently parse-server does not have a way to lock accounts after failed login attempts.

Would you be interested in taking a PR to allow developers the ability to set a Account lockout policy?

Account lockout policy at a high level:

Someone who attempts to use more than a few unsuccessful passwords while trying to log on to your system might be a malicious user who is attempting to determine an account password by trial and error.

Update parse-server to track logon attempts and respond to this type of potential attack by disabling the account for a preset period of time

This setting will have 2 parameters:

Account lockout duration

The Account lockout duration policy setting determines the number of minutes that a locked-out account remains locked out before automatically becoming unlocked. The available range is from 1 through 99,999 minutes.

Account lockout threshold

The Account lockout threshold policy setting determines the number of failed sign-in attempts that will cause a user account to be locked. You can set a value from 1 through 999 failed sign-in attempts.

References

The above template was based on: https://technet.microsoft.com/en-us/library/hh994563(v=ws.11).aspx

[flovilmart]

@cherukumilli That seems like an interesting feature! But that may require an update of the client SDK's too to support the new errors

[cherukumilli]

@flovilmart
Just went through some of the client SDK's. I can handle the JS SDK and android SDK. I am not sure about the others.

Would you guys accept a multi phased change?
i.e., in phase 1,
update parse-server only.
parse server returns an existing error like Parse.Error.OBJECT_NOT_FOUND for all errors related this new feature.
Even though the error code says Parse.Error.OBJECT_NOT_FOUND, the error message describes the error in a little more detail.

in phase 2, update JS SDK and android SDK with new error codes
in phase 3, update the rest of the client SDK's with community contributors
in phase 4, update the server to use the new error codes in the client SDK's.

[cherukumilli]

@flovilmart
Would you guys accept a PR with just changes to parse-server where the server returns an error code Parse.Error.OBJECT_NOT_FOUND with an error message like Your account is locked due to multiple failed login attempts. Please try again after xx minutes when the account is locked?

[flovilmart]

As long as we're still in an 'opt-in' basis, that would be fine, you could introduce another error code, and let the people know the meaning of that error in the docs :)

[cherukumilli]

Closing this feature request as the PR #2601 has been merged into the master and released as part of release 2.2.19 (https://github.com/ParsePlatform/parse-server/releases/tag/2.2.19).