add fallback to id

id.saladeaula.digital/app/routes/authentication.py

@@ -7,7 +7,10 @@ from aws_lambda_powertools.event_handler import (
     Response,
 )
 from aws_lambda_powertools.event_handler.api_gateway import Router
-from aws_lambda_powertools.event_handler.exceptions import ForbiddenError, NotFoundError
+from aws_lambda_powertools.event_handler.exceptions import (
+    NotFoundError,
+    UnauthorizedError,
+)
 from aws_lambda_powertools.event_handler.openapi.params import Body
 from aws_lambda_powertools.shared.cookies import Cookie
 from layercake.dateutils import now, ttl
@@ -25,7 +28,7 @@ dyn = DynamoDBPersistenceLayer(OAUTH2_TABLE, dynamodb_client)
 idp = boto3.client('cognito-idp')
 
 
-class InvalidCredentialsError(ForbiddenError): ...
+class InvalidCredentialsError(UnauthorizedError): ...
 
 
 class UserNotFoundError(NotFoundError): ...
@@ -42,15 +45,21 @@ def authentication(
         _get_idp_user(user_id, username, password)
     else:
         if not pbkdf2_sha256.verify(password, password_hash):
-            raise InvalidCredentialsError('Invalid credentials')
+            dyn.update_item(
+                key=KeyPair(user_id, 'FAILED_ATTEMPTS'),
+                update_expr='SET #count = if_not_exists(#count, :zero) + :one, \
+                                 updated_at = :now',
+                expr_attr_names={
+                    '#count': 'failed_attempts',
+                },
+                expr_attr_values={
+                    ':zero': 0,
+                    ':one': 1,
+                    ':now': now(),
+                },
+            )
 
-    dyn.update_item(
-        key=KeyPair(user_id, '0'),
-        # Post-migration (users): uncomment the following line
-        # update_expr='SET last_login = :now',
-        update_expr='SET lastLogin = :now',
-        expr_attr_values={':now': now()},
-    )
+            raise InvalidCredentialsError('Invalid credentials')
 
     return Response(
         status_code=HTTPStatus.OK,
@@ -146,6 +155,16 @@ def new_session(user_id: str) -> str:
     exp = ttl(start_dt=now_, seconds=SESSION_EXPIRES_IN)
 
     with dyn.transact_writer() as transact:
+        transact.delete(key=KeyPair(user_id, 'FAILED_ATTEMPTS'))
+        transact.update(
+            key=KeyPair(user_id, '0'),
+            # Post-migration (users): uncomment the following line
+            # update_expr='SET last_login = :now',
+            update_expr='SET lastLogin = :now',
+            expr_attr_values={
+                ':now': now_,
+            },
+        )
         transact.put(
             item={
                 'id': 'SESSION',

id.saladeaula.digital/tests/routes/test_authentication.py

@@ -1,6 +1,6 @@
-from http import HTTPMethod
+from http import HTTPMethod, HTTPStatus
 
-from layercake.dynamodb import DynamoDBPersistenceLayer, PartitionKey
+from layercake.dynamodb import DynamoDBPersistenceLayer, KeyPair, PartitionKey
 
 from ..conftest import HttpApiProxy, LambdaContext
 
@@ -29,3 +29,31 @@ def test_authentication(
     session = dynamodb_persistence_layer.collection.query(PartitionKey('SESSION'))
     # One seesion if created from seeds
     assert len(session['items']) == 2
+
+
+def test_invalid_password(
+    app,
+    seeds,
+    dynamodb_persistence_layer: DynamoDBPersistenceLayer,
+    http_api_proxy: HttpApiProxy,
+    lambda_context: LambdaContext,
+):
+    r = app.lambda_handler(
+        http_api_proxy(
+            raw_path='/authentication',
+            method=HTTPMethod.POST,
+            body={
+                'username': '07879819908',
+                'password': '123333',
+            },
+        ),
+        lambda_context,
+    )
+
+    assert r['statusCode'] == HTTPStatus.UNAUTHORIZED
+
+    failed = dynamodb_persistence_layer.collection.get_item(
+        KeyPair('357db1c5-7442-4075-98a3-fbe5c938a419', 'FAILED_ATTEMPTS')
+    )
+
+    assert 'failed_attempts' in failed