Skip to content

Fix: stop counting non-Basic auth schemes and malformed tokens as failed attempts#7

Merged
joelbyford merged 2 commits intoSecurityUpdatesfrom
copilot/sub-pr-6
Mar 5, 2026
Merged

Fix: stop counting non-Basic auth schemes and malformed tokens as failed attempts#7
joelbyford merged 2 commits intoSecurityUpdatesfrom
copilot/sub-pr-6

Conversation

Copy link
Contributor

Copilot AI commented Mar 5, 2026
edited
Loading

Invoke was incrementing the IP failure counter whenever any Authorization header was present but unparseable as Basic credentials — including Bearer tokens and other schemes — unintentionally triggering lockouts for clients not attempting Basic Auth at all.

Changes

  • TryGetCredentials: Removed hadAuthorizationHeader out parameter — it was the only driver of the incorrect failure path
  • Invoke: Removed the if (hadAuthorizationHeader) { RegisterFailedAttempt(...) } block; failed attempts now register only when credentials fully parse (valid Basic scheme, decodable base64, extractable user:pass) but are rejected by IsAuthorized
Before: Authorization: ******  →  RegisterFailedAttempt (wrong)
After:  Authorization: ******  →  401 challenge, no counter increment

Before: Authorization: Basic <garbage_b64>  →  RegisterFailedAttempt (wrong)
After:  Authorization: Basic <garbage_b64>  →  401 challenge, no counter increment

Before/After: Authorization: Basic <valid_b64_wrong_creds>  →  RegisterFailedAttempt (correct)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI mentioned this pull request Mar 5, 2026
Merged
@joelbyford
Fix: only register failed attempts for valid Basic credential submiss…
d6d793c 
…ions

Co-authored-by: joelbyford <57726719+joelbyford@users.noreply.github.com>
Copilot AI changed the title [WIP] Address feedback on security enhancements implementation Fix: stop counting non-Basic auth schemes and malformed tokens as failed attempts Mar 5, 2026
joelbyford
joelbyford approved these changes Mar 5, 2026
View reviewed changes
Copy link
Owner

@joelbyford joelbyford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Validated in local test environment.

@joelbyford joelbyford marked this pull request as ready for review March 5, 2026 16:22
@joelbyford joelbyford merged commit 077881a into SecurityUpdates Mar 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@joelbyford joelbyford joelbyford approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@joelbyford joelbyford

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joelbyford