Login attempts not working?

[edtorba]

Hi all,

got the following setup for the users' collection:

auth: {
  useAPIKey: true,
  tokenExpiration: 86400, // 24h
  maxLoginAttempts: 3,
  lockTime: 900, // 15min
},

As a test did multiple login attempts via graphql-playground where I got the following message in first 3 attempts:

"message": "The email or password provided is incorrect.",

^ That's ok and as expected.

4th attempt

"message": "This user is locked due to having too many failed login attempts.",

^ Fine.

5th attempt

"message": "The email or password provided is incorrect.",

^ Say whaaaat?

On 6th attempt, I set the correct password and got logged in. However, the expected response would be - a locked account.

Question - is lockTime also defined in seconds (docs don't state in what format) as tokenExpiration? If yes, I guess that's a bug then? If not, what's going wrong?

Version 1.2.0

Thanks.

[edtorba]

Turns out it is working just fine...

Annoyingly @ https://payloadcms.com/docs/authentication/config it didn't state that lockTime is defined in ms and I simply assumed that it is seconds as two rows above tokenExpiration is in fact configured in seconds.

Spotted that it is meant to be in ms @ https://payloadcms.com/docs/production/preventing-abuse.

Suggestion for the documentation - maybe it's worth having an additional column(s), e.g. default values, expected units, etc.