Fix: Refactor password history logging

Remove misplaced log message inside checkTooManyPasswordHashes and add a consolidated log message when too many password hashes are detected for an account. This improves the clarity and relevance of log entries. Signed-off-by: Christian Roessner <c@roessner.co>
croessner · Nov 8, 2024 · 7e84e26 · 7e84e26
1 parent cd10ac9
commit 7e84e26
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/server/core/bruteforce.go b/server/core/bruteforce.go
@@ -324,8 +324,6 @@ func (a *AuthState) checkTooManyPasswordHashes(key string) bool {
 		return true
 	} else {
 		if length > int64(config.LoadableConfig.Server.MaxPasswordHistoryEntries) {
-			level.Info(log.Logger).Log(global.LogKeyGUID, a.GUID, global.LogKeyMsg, fmt.Sprintf("too many entries in Redis hash key %s", key))
-
 			stats.RedisReadCounter.Inc()
 
 			return true
@@ -442,13 +440,18 @@ func (a *AuthState) saveFailedPasswordCounterInRedis() {
 		return
 	}
 
-	var keys []string
+	var (
+		keys          []string
+		keysOverLimit bool
+	)
 
 	keys = append(keys, a.getPasswordHistoryRedisHashKey(true))
 	keys = append(keys, a.getPasswordHistoryRedisHashKey(false))
 
 	for index := range keys {
 		if a.checkTooManyPasswordHashes(keys[index]) {
+			keysOverLimit = true
+
 			continue
 		}
 
@@ -480,6 +483,10 @@ func (a *AuthState) saveFailedPasswordCounterInRedis() {
 			stats.RedisWriteCounter.Inc()
 		}
 	}
+
+	if keysOverLimit {
+		level.Info(log.Logger).Log(global.LogKeyGUID, a.GUID, global.LogKeyMsg, "Too many password hashes for this account")
+	}
 }
 
 // loadBruteForceBucketCounterFromRedis is a method on the AuthState struct that loads the brute force