Project

General

Profile

Actions
Copy link

Bug #95891

closed

CLI backend:unlock does not work

Added by Sybille Peters about 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
CLI
Target version:
-
Start date:
2021-11-06
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
11
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Reproduce

1. Several BE login attempts which fail: BE will be locked:

(1/1) #1616175867 TYPO3\CMS\Core\RateLimiter\RequestRateLimitedException
The login is locked until 06-11-21 08:49 due to too many failed login attempts from your IP address.

2. Run

typo3/sysext/core/bin/typo3 backend:unlock

Unlock the TYPO3 Backend
========================

 ! [NOTE] No lock file "/var/www/t3coredev_uol/typo3conf/LOCK_BACKEND" was found.                                       
 !        Hence no lock can be removed.

3. check for file LOCK_BACKEND

Does not exist anywhere in site

4. Remove file in typo3temp/var/cache/data/ratelimiter/

Can login again ...

Version

- TYPO3 11-dev (master)
- coredev Installation (git repo) - non Composer mode
- default configuration, normal login, no MFA

Actions
Copy link
 #1

Updated by Stefan Bürk about 3 years ago

Hi Sybille, thanks for reporting this. But I'm afraid, you are mixing up things here together which are unrelated.

rate limiter lock <==> backend lock

Your provided message from 1. states that a specific user was rate limited until a special date ( user backend login temporary ban)

But you are using the command to "unlock the whole backend login", but that was not locked. backend:unlock is related to backend:lock and controlles the whole backend lock from command line, not the temporary user ban/lock created from the rate limiter.

Could not see (and not aware) of a command to remove the temporary user ban of a user. Maybe a feature request ? (Should be only for specifig user, not all etc).

See command descriptions of the lock/unlock cli command:'

 backend:lock     Lock the TYPO3 Backend
 backend:unlock   Unlock the TYPO3 Backend

After reading that explenation and maybe reread the cli command description, would you confirm that it's not a bug, but maybe a "missing feature" for the rate limiting stuff ? If yes. Can we close this issue afterwards and eventually create a feature request seperatly for it ?

Actions
Copy link
 #2

Updated by Sybille Peters about 3 years ago

  • Status changed from New to Closed

Closing as "not a bug" - misunderstanding.

Yes. That seems quite plausible (and obvious in retrospect).

I could have sworn the exception message told me to use backend:unlock, but it didn't. Agree to close.

Don't know if anything exists to specifically unlock the "unsuccessful login" login prevention - as that is security relevant, might make sense to be a little more careful about that.

Thanks for clarifying.

Actions
Copy link

Also available in: Atom PDF