ServerConnect SecurityLogin Unauthorized test

Hi,

I am building a login form that locks the user after a number of failed attempts.

For that I would like to capture the unahutorized event on the server side and increment a flag in the database each time it happens. On the other hand, if the login is successful, the flag will be set to 0.

Can you please advise on the best way to test in the ServerConnect, after the SecurityLogin step if the user was authorized?
image

Many thanks

I think that I would do this on the client side rather than server side.

Create a variable as per

Or, under State Management create a Cookie/Session/Local storage variable depending on what you want to achieve.

When the login form is submitted, under Dynamic Events use the onError and/or onUnauthorized events to increment the value of the variable. If a successful event occurs, onSuccess can reset the value to zero.

1 Like

Thank you @ben but for security reasons I prefer to do it on server side for two reasons: 1/block malicious tentatives of login and 2/send an email to the user on each failed attempt
Is there a way to catch the unauthorized event on server side? Thanks

You can create a separate server action which sends an email/saves activity logs and then run it on unauthorized event. :slight_smile:

ok thanks so all solutions involve the frontend, there is no way to bypass it to test what the security login returns

Hi,
I’m wondering if this is still the final answer.
Isn’t there any way to determine if the Login step in a server action failed before the client side detects it? Sounds odd.

BTW, I tried to put a condition like the one below and although the successful logins are recorded, the failed ones are not.

I think that the condition that I’m testing for in (A) is not the right one.
Proof of that is that (B) is executed when the login is successful but © is not executed when the login fails.

I’d appreciate any guidance on how to accomplish this.

Many thanks in advance,

Alex

Have you considered using a validate step on the username and reCAPTCHA? Its not an answer to your question by any means, simply a suggestion…? :slight_smile:

Hi @Dave,
I’m not sure I understand what you propose. Can you please elaborate?

Many thanks,

Alex

you can easily solve this process with a cookie. Can be used on the cookie server side.

Simply as a way of protecting against unwanted/automated login attempts essentially (is this what you are trying to achieve?). Server Connect has a fantastic validate option that enables you to validate that the actual record exists within the database (ie the username for example) and if it fails to validate the next step in your Server Connect Action will cease to execute. Partnered with reCAPTCHA as a check for humans will also deny any bots from keep forcing login attempts and they will soon direct their attentions elsewhere away from your application. If the validation fails you could then send an automated message to the administrator alerting you of this activity. Blocking IPs is next to useless as most botnets have thousands to loop through forcing attempts repeatedly to your application. A simple protection mechanism (extremely easy to deploy) against this type of activity without getting too overly complex about it. Maybe worth considering in this circumstance?

Hi Dave,
I agree that the captcha will detract bots from attempting logins and I’ll take a look at how to put one in the login page (I’m relatively new to Wappler and I’m not a programmer, so it may take me a bit).
But I’m still stuck with the issue of how does the server action know of a failed login attempt. I could not find the condition to test for that.

Many thanks!

Hi @s.alpaslan,

Can you please say more? I don’t understand.

Many thanks in advance,

Alex