User Lockout with ASP.NET and ReactJS

Lockout.a.User.Account.mp4

User Lockout Configuration

{
    opt.Lockout.AllowedForNewUsers = true;
    opt.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(15);
    opt.Lockout.MaxFailedAccessAttempts = 3;
})

User Lockout in the Login Action

 public async Task<LoginServiceResponseDto> Login(Login login)
    {
        var user = await _userManager.FindByEmailAsync(login.Email);

        if (user is null)
            throw new UnauthorizedAccessException("Email or Password is incorrect!");

        if (await _userManager.IsLockedOutAsync(user))
        {
            throw new UnauthorizedAccessException("Your account is locked. Please try again after 15 min.");
        }

        var result = await _userManager.CheckPasswordAsync(user, login.Password);

        if (!result)
        {
            await _userManager.AccessFailedAsync(user);
            throw new UnauthorizedAccessException("Email or Password is incorrect!");
        }

        await _userManager.ResetAccessFailedCountAsync(user);

        var jwtSecurityToken = await _tokenService.CreateJwtToken(user);
        var userInfo = new UserInfoResult
        {
            FirstName = user.FirstName,
            LastName = user.LastName,
            Email = user.Email,
            Id = user.Id,
            UserName = user.UserName
        };

        return new LoginServiceResponseDto
        {
            Token = new JwtSecurityTokenHandler().WriteToken(jwtSecurityToken),
            UserInfo = userInfo
        };
    }

By setting the lockoutOnFailure parameter to true, we enable the lockout functionality, thus enable modification of the AccessFailedCount and LockoutEnd columns in the AspNetUsers table:

If we try to log in with the wrong credentials, we will get the Invalid Login Attempt error and the AccessFailedCount column will increase:

We can see the account locked out and we can confirm that in the database:

Liked it ? Stay with me and follow me on GitHub and LinkedIn.