Account lockout: failed login attempts

If a user repeatedly tries to log in on the /api/v1/password/login endpoint and fails, their account is automatically locked after 10 failed attempts. The amount of time between failed attempts must be greater than the reset timeframe to not count as a failed login attempt. Otherwise, the attempts are cumulative.

See the loginWithPassword operation for more details.
Example | Reset timeframe = 5 minutes
User A

Failed login attempt. User tries again in 4 minutes. This counts as failed attempt 2/10.

User B

Failed login attempt. User tries again in 6 minutes. This counts as failed attempt 1/10.

User C locked out

Failed login attempt. User tries again repeatedly every 4 minutes for a total of 10 attempts. The user is locked out as they did not let the reset timeframe ever reach 5 minutes.

Feedback