Fixed bug 60181.

Adit Sheth · Adit Sheth · commit 3bc8a31a785d · 2025-02-12T11:45:42.000-08:00
diff --git a/src/Identity/Extensions.Core/src/LockoutOptions.cs b/src/Identity/Extensions.Core/src/LockoutOptions.cs
@@ -32,4 +32,10 @@ public class LockoutOptions
     /// </summary>
     /// <value>The <see cref="TimeSpan"/> a user is locked out for when a lockout occurs.</value>
     public TimeSpan DefaultLockoutTimeSpan { get; set; } = TimeSpan.FromMinutes(5);
+
+    /// <summary>
+    /// Specifies whether the lockout should be permanent.
+    /// If true, the user will be locked out indefinitely.
+    /// </summary>
+    public bool PermanentLockout { get; set; } = false;
 }
diff --git a/src/Identity/Extensions.Core/src/UserManager.cs b/src/Identity/Extensions.Core/src/UserManager.cs
@@ -1812,24 +1812,39 @@ public virtual async Task<IdentityResult> SetLockoutEndDateAsync(TUser user, Dat
     /// </summary>
     /// <param name="user">The user whose failed access count to increment.</param>
     /// <returns>The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/> of the operation.</returns>
-    public virtual async Task<IdentityResult> AccessFailedAsync(TUser user)
-    {
-        ThrowIfDisposed();
-        var store = GetUserLockoutStore();
-        ArgumentNullThrowHelper.ThrowIfNull(user);
+public virtual async Task<IdentityResult> AccessFailedAsync(TUser user)
+{
+    ThrowIfDisposed();
+    var store = GetUserLockoutStore();
+    ArgumentNullThrowHelper.ThrowIfNull(user);
 
-        // If this puts the user over the threshold for lockout, lock them out and reset the access failed count
-        var count = await store.IncrementAccessFailedCountAsync(user, CancellationToken).ConfigureAwait(false);
-        if (count < Options.Lockout.MaxFailedAccessAttempts)
-        {
-            return await UpdateUserAsync(user).ConfigureAwait(false);
-        }
-        Logger.LogDebug(LoggerEventIds.UserLockedOut, "User is locked out.");
-        await store.SetLockoutEndDateAsync(user, DateTimeOffset.UtcNow.Add(Options.Lockout.DefaultLockoutTimeSpan),
-            CancellationToken).ConfigureAwait(false);
-        await store.ResetAccessFailedCountAsync(user, CancellationToken).ConfigureAwait(false);
+// If this puts the user over the threshold for lockout, lock them out and reset the access failed count
+    var count = await store.IncrementAccessFailedCountAsync(user, CancellationToken).ConfigureAwait(false);
+    if (count < Options.Lockout.MaxFailedAccessAttempts)
+    {
         return await UpdateUserAsync(user).ConfigureAwait(false);
     }
+    Logger.LogDebug(LoggerEventIds.UserLockedOut, "User is locked out.");
+
+    // Prevent overflow when setting lockout end date
+    var now = DateTimeOffset.UtcNow;
+    DateTimeOffset lockoutEnd;
+
+    if (Options.Lockout.DefaultLockoutTimeSpan == TimeSpan.MaxValue)
+    {
+        lockoutEnd = DateTimeOffset.MaxValue;
+    }
+    else
+    {
+        lockoutEnd = now > (DateTimeOffset.MaxValue - Options.Lockout.DefaultLockoutTimeSpan)
+            ? DateTimeOffset.MaxValue
+            : now.Add(Options.Lockout.DefaultLockoutTimeSpan);
+    }
+
+    await store.SetLockoutEndDateAsync(user, lockoutEnd, CancellationToken).ConfigureAwait(false);
+    await store.ResetAccessFailedCountAsync(user, CancellationToken).ConfigureAwait(false);
+    return await UpdateUserAsync(user).ConfigureAwait(false);
+}
 
     /// <summary>
     /// Resets the access failed count for the specified <paramref name="user"/>.
diff --git a/src/Identity/test/Identity.Test/UserManagerTest.cs b/src/Identity/test/Identity.Test/UserManagerTest.cs
@@ -1012,6 +1012,24 @@ public async Task ResetTokenCallNoopForTokenValueZero()
         IdentityResultAssert.IsSuccess(await manager.ResetAccessFailedCountAsync(user));
     }
 
+    [Fact]
+    public async Task AccessFailedAsync_IncrementsAccessFailedCount()
+    {
+        // Arrange
+        var user = new PocoUser() { UserName = "testuser" };
+        var store = new Mock<IUserLockoutStore<PocoUser>>();
+        store.Setup(x => x.GetAccessFailedCountAsync(user, It.IsAny<CancellationToken>())).ReturnsAsync(1);
+        store.Setup(x => x.IncrementAccessFailedCountAsync(user, It.IsAny<CancellationToken>())).ReturnsAsync(2);
+
+        var manager = MockHelpers.TestUserManager(store.Object);
+
+        // Act
+        var result = await manager.AccessFailedAsync(user);
+
+        // Assert
+        Assert.Equal(2, result);
+    }
+
     [Fact]
     public async Task ManagerPublicNullChecks()
     {
