[C4GT Community]: Account Lockout After Multiple Failed Login Attempts – Auto Unlock Required After 24 Hours

[drtechie]

Description

Currently, when a user enters an incorrect password five times, the account is permanently blocked at the backend. There is no automatic mechanism to unlock the account after a defined time period, which causes dependency on manual intervention.

To address this challenge, the account lock should be time-bound. Once the lock duration expires (24 hours / 23:59:59), the account should automatically become active again. This will also allow administrators to manage account status effectively from the Admin Panel.

Steps to Reproduce:

1. Navigate to the Login page of any AMRIT application
2. Enter a valid username
3. Enter an incorrect password five times
4. Observe the error message: "Your account has been locked. Please contact to the administrator."

Current Behavior:

• After five failed login attempts, the user account is blocked at the backend
• The account does not automatically unlock, even after 24 hours
• Manual intervention is required to reactivate the account

Goals

• Implement time-bound account locking mechanism (24 hours / 23:59:59)
• Enable automatic account unlock at 00:00:01 the next day after lock expires
• Update error message to: "Your account has been locked. You can try tomorrow or connect to the administrator."
• Add account lock status visibility in Admin Panel
• Allow Admin users to manually unlock accounts from Admin Panel

Expected Outcome

• The account should be locked for 24 hours (23:59:59) after the fifth failed login attempt
• The account should automatically unlock at 00:00:01 the next day
• Once unlocked, the user should be able to log in successfully without any error message
• Admin users should be able to view and manage the account lock status from the Admin Panel
• The solution should reduce manual administrative effort and improve user experience while aligning with standard security practices for account lockout mechanisms

Acceptance Criteria

• Account gets locked after 5 consecutive failed login attempts
• Locked account displays updated error message with time-based unlock information
• Account automatically unlocks after 24 hours (at 00:00:01 next day)
• User can successfully log in after automatic unlock without manual intervention
• Admin Panel displays account lock status (locked/unlocked) with lock timestamp
• Admin can manually unlock accounts from the Admin Panel
• Failed login attempt counter resets after successful login
• Lock mechanism works consistently across all AMRIT applications

Implementation Details

Backend Changes:

• Modify the authentication service to store lock timestamp instead of permanent block flag
• Implement a time-check mechanism during login to compare current time with lock timestamp
• Add scheduled job or on-demand check to auto-unlock accounts after 24 hours
• Update the error response to include time-based unlock message

API Endpoints:

• Update login endpoint to handle time-bound locking logic

Technologies: Java, Spring Boot, MySQL/PostgreSQL, Angular (Admin UI)

Mockups/Wireframes

N/A

Product Name

AMRIT (Accessible Medical Records via Integrated Technologies)

Organization Name

Piramal Swasthya Management and Research Institute

Domain

Healthcare / Public Health

Tech Skills Needed

• Java
• Spring Boot
• SQL
• Angular
• RESTful APIs
• Database
• Security

Organizational Mentor

@drtechie

Complexity

Medium

Category

• Backend
• Security
• API
• Database
• Frontend

[varundeepsaini]

@drtechie wanted to pick this

[varundeepsaini]

@drtechie a clarification

it says 24 hrs but isnt it actually the next 00:01 ? (whatever that duration is right?)

[drtechie]

@varundeepsaini any updates?

[varundeepsaini]

Will push changes later today