From 7e84e267701b12f6377596dab6df60481146a298 Mon Sep 17 00:00:00 2001
From: Christian Roessner <c@roessner.co>
Date: Fri, 8 Nov 2024 16:13:30 +0100
Subject: [PATCH] Fix: Refactor password history logging

Remove misplaced log message inside checkTooManyPasswordHashes and add a consolidated log message when too many password hashes are detected for an account. This improves the clarity and relevance of log entries.

Signed-off-by: Christian Roessner <c@roessner.co>
---
 server/core/bruteforce.go | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/server/core/bruteforce.go b/server/core/bruteforce.go
index d77b45b7..e9e3eb99 100644
--- a/server/core/bruteforce.go
+++ b/server/core/bruteforce.go
@@ -324,8 +324,6 @@ func (a *AuthState) checkTooManyPasswordHashes(key string) bool {
 		return true
 	} else {
 		if length > int64(config.LoadableConfig.Server.MaxPasswordHistoryEntries) {
-			level.Info(log.Logger).Log(global.LogKeyGUID, a.GUID, global.LogKeyMsg, fmt.Sprintf("too many entries in Redis hash key %s", key))
-
 			stats.RedisReadCounter.Inc()
 
 			return true
@@ -442,13 +440,18 @@ func (a *AuthState) saveFailedPasswordCounterInRedis() {
 		return
 	}
 
-	var keys []string
+	var (
+		keys          []string
+		keysOverLimit bool
+	)
 
 	keys = append(keys, a.getPasswordHistoryRedisHashKey(true))
 	keys = append(keys, a.getPasswordHistoryRedisHashKey(false))
 
 	for index := range keys {
 		if a.checkTooManyPasswordHashes(keys[index]) {
+			keysOverLimit = true
+
 			continue
 		}
 
@@ -480,6 +483,10 @@ func (a *AuthState) saveFailedPasswordCounterInRedis() {
 			stats.RedisWriteCounter.Inc()
 		}
 	}
+
+	if keysOverLimit {
+		level.Info(log.Logger).Log(global.LogKeyGUID, a.GUID, global.LogKeyMsg, "Too many password hashes for this account")
+	}
 }
 
 // loadBruteForceBucketCounterFromRedis is a method on the AuthState struct that loads the brute force