Implement exponential lockout

Description

To prevent unauthorized account access, we will implement an exponential lockout for CRSId/Last Name and DoB pairs.

Further details

We will not be storing login attempts against the actual accounts, rather a separate database table will track unsuccessful login attempts with the "username" portion of the login credentials being checked for lockout against this table when a user attempts to log in. Database will need to store:

• Identity Key (CRSId or Last Name) (PK) - suggest one field to store either, don't need to make a distinction.
• DoB (PK)
• number of unsuccessful login attempts
• nullable "lockout until" datetime

Task list

• Create model to store lockout data
• Update login code to:
  • Store lockout data on unsuccessful login attempt
    • After 3 unsuccessful logins start settings lockout - start at 10 (default) seconds in the future, then double for each subsequent unsuccessful attempt (including those blocked by the lockout).
    • Number of unsuccessful logins and initial lockout time should be configurable.
  • Prevent login if credentials being used are in the lockout table and the current time is before the "lockout until" time - sending back a standard 401.
  • Clear lockout data on successful login attempt

Acceptance criteria

• User accounts are protected from brute force attempts.

Links/references