Is there an existing issue for this?
Describe the bug
When using ASP.NET Identity, under certain conditions, the method UserManager.AccessFailedAsync() fails with an overflow exception if the DefaultLockoutTimeSpan is too large.
An example scenario of where this may occur is, when a call is made to SignInManager<TIdentityUser>.TwoFactorySignInAsync() that results in a failed MFA sign-in, the method UserManager.AccessFailedAsync() will be called.
The problem is this line:
await store.SetLockoutEndDateAsync(user, DateTimeOffset.UtcNow.Add(Options.Lockout.DefaultLockoutTimeSpan),
CancellationToken).ConfigureAwait(false);The use-case here is that, the DefaultLockoutTimeSpan was being set to TimeSpan.MaxValue as a way to basically enforce lockouts are not automatically removed as a way to lock an account for investigation of suspicious activity for certain operations - such as entering many invalid MFA codes over and over again.
Expected Behavior
I think this should be more forgiving or have a way to set an indefinite lockout timespan. The only alternative currently available is setting to something large, but arbitrary, such as TimeSpan.FromDays(50000) which just looks worse - if you see 12/31/9999 as an end date, you have an idea that it's basically forever, but if you see 2/4/4737, for example, it doesn't mean anything.
So in UserManager either update the call to something like this:
var now = DateTimeOffset.UtcNow;
DateTimeOffset lockoutEnd = now > DateTimeOffset.MaxValue - Options.Lockout.DefaultLockoutTimeSpan? DateTimeOffset.MaxValue : now.Add(Options.Lockout.DefaultLockoutTimeSpan);
await store.SetLockoutEndDateAsync(user, lockoutEnd,CancellationToken).ConfigureAwait(false);
Or a new option added to specify an endless lockout.
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
.NET 9
Anything else?
No response
Is there an existing issue for this?
Describe the bug
When using ASP.NET Identity, under certain conditions, the method
UserManager.AccessFailedAsync()fails with an overflow exception if theDefaultLockoutTimeSpanis too large.An example scenario of where this may occur is, when a call is made to
SignInManager<TIdentityUser>.TwoFactorySignInAsync()that results in a failed MFA sign-in, the methodUserManager.AccessFailedAsync()will be called.The problem is this line:
The use-case here is that, the
DefaultLockoutTimeSpanwas being set toTimeSpan.MaxValueas a way to basically enforce lockouts are not automatically removed as a way to lock an account for investigation of suspicious activity for certain operations - such as entering many invalid MFA codes over and over again.Expected Behavior
I think this should be more forgiving or have a way to set an indefinite lockout timespan. The only alternative currently available is setting to something large, but arbitrary, such as
TimeSpan.FromDays(50000)which just looks worse - if you see 12/31/9999 as an end date, you have an idea that it's basically forever, but if you see 2/4/4737, for example, it doesn't mean anything.So in UserManager either update the call to something like this:
Or a new option added to specify an endless lockout.
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
.NET 9
Anything else?
No response