🔐 Implement User Lockout in .NET 8 Web API with Identity | Secure Your App from Brute Force Attacks! 🚀

Service Registration 

This configuration sets up JWT (JSON Web Token) Authentication and integrates Identity-based user lockout within a .NET 8 Web API.

1. JWT Authentication Setup:

The code starts by adding authentication services to the builder.Services using JWT authentication. Here's a breakdown:

• Default Authentication Schemes:

  • The default authentication scheme is set to JWT Bearer (JwtBearerDefaults.AuthenticationScheme). This means that JWT will be used as the primary mechanism to authenticate users.
  • Both the DefaultAuthenticateScheme, DefaultScheme, and DefaultChallengeScheme are set to use JWT, ensuring that the app handles authentication and challenges using the same JWT scheme.

• JWT Bearer Options:

  • options.SaveToken = true: This instructs the application to save the JWT token once validated. This can be useful for later processing or access within the application.
  • Token Validation Parameters:
    These parameters define the rules for how the received JWT tokens should be validated:
    • ValidateAudience = false: The audience validation is disabled, meaning the token's "audience" claim is not required to match a specific value.
    • ValidateIssuer = false: The issuer validation is also disabled, so the token's "issuer" claim doesn't need to match a specific issuer.
    • ValidateIssuerSigningKey = true: This ensures that the token's signature is validated using the signing key. It’s crucial for verifying the token's integrity.
    • RequireExpirationTime = false & ValidateLifetime = false: These settings mean that token expiration and lifetime validation are disabled. Usually, you would want to validate the token's expiration, but this example allows for more flexibility, possibly in a development or testing scenario.
    • IssuerSigningKey: A Symmetric Security Key is used to validate the JWT's signature. The key is derived from the given string and is used to sign and verify the token. The Encoding.UTF8.GetBytes() method converts the string into a byte array, which is used as the signing key.

2. Identity User Lockout Configuration:

In addition to JWT, this setup configures ASP.NET Core Identity to handle user management, including lockout settings for failed login attempts.

• Default Identity with Lockout Settings:
  • AllowedForNewUsers = true: This ensures that newly registered users can be locked out if they exceed the allowed number of failed login attempts.
  • DefaultLockoutTimeSpan = TimeSpan.FromMinutes(5): If a user exceeds the maximum number of failed login attempts, they will be locked out for 5 minutes. This prevents further login attempts during this period and is a common measure to protect against brute-force attacks.
  • MaxFailedAccessAttempts = 3: This setting defines the maximum number of failed login attempts (in this case, 3) before the user is locked out. After 3 incorrect attempts, the user is temporarily blocked from logging in.

Overall Functionality:

• The JWT Authentication ensures that your API can securely identify users using tokens. When a client makes a request, the token is validated based on the rules defined in the TokenValidationParameters. The security key ensures that the token hasn’t been tampered with.
• The Lockout Mechanism provides additional security by limiting the number of failed login attempts. This reduces the risk of brute-force attacks where attackers might try to guess passwords. After 3 incorrect attempts, the user is locked out for 5 minutes before they can try again.

This combination of JWT Authentication and ASP.NET Core Identity with lockout enhances the security of your API by:

• Protecting access with secure tokens.
• Preventing unauthorized access through brute-force attempts by locking out users after several failed login attempts.

These features together create a robust authentication and security layer for your web API.

Controller

The AccountController class you've provided is responsible for managing user authentication, including registration, login, and handling account lockout scenarios. It uses ASP.NET Core Identity with JWT token generation for secure user authentication.

Detailed Breakdown:

1. Controller Setup:
   • The controller inherits from ControllerBase and is designed to handle HTTP requests for account management.
   • It uses UserManager<IdentityUser> from ASP.NET Core Identity to manage user accounts (creation, authentication, etc.).

1. Register Method:

• HTTP Route: [HttpPost("register/{email}/{password}")]
• This method allows users to register by providing an email and password.
• It uses the UserManager.CreateAsync() method to create a new IdentityUser with the provided email and password.
  • The PasswordHash property should ideally not be set directly like this, as Identity will hash the password internally. However, the password is passed separately in the CreateAsync method, where ASP.NET Identity will handle hashing correctly.

Example of Usage:

• A POST request to /register/user@example.com/mysecurepassword creates a new user with that email and password.

2. GetUser Helper Method:

• A private helper method GetUser(string email) is used to retrieve the user from the database based on their email using UserManager.FindByEmailAsync(email).
• This method is used in both the registration and login methods to retrieve user information.

3. Login Method:

• HTTP Route: [HttpPost("login/{email}/{password}")]
• The login process handles authentication and also implements lockout logic for failed login attempts.

Steps:

• Check for Lockout:
  Before proceeding with authentication, it checks if the user is locked out using UserManager.IsLockedOutAsync. If the user is locked out, an Unauthorized response is returned.
• Password Validation:
  If the user is not locked out, it checks whether the provided password is correct using UserManager.CheckPasswordAsync.
• Failed Login Handling:
  • If the password is incorrect, the failed access count is increased using UserManager.AccessFailedAsync, and the number of remaining attempts is calculated by getting the failed access count.
  • If the user exceeds the maximum allowed attempts (3 in this case), an appropriate message is returned, either informing them about the remaining attempts or notifying them that there are no retry attempts left.
• Successful Login Handling:
  • If the password is correct, the failed access count is reset using UserManager.ResetAccessFailedCountAsync, and the user is authenticated.
  • The method returns an authentication token (JWT) generated by the GenerateToken method.

4. GenerateToken Method:

• This method generates a JWT (JSON Web Token) for the authenticated user. JWT is a secure way to authenticate users and carry their identity across different systems.

Token Details:

• Signing Credentials:
  The JWT is signed using a SymmetricSecurityKey and the HMAC-SHA256 algorithm. The secret key used for signing is "Qw12ER34TY56Ui78oi98v2bNh78JK4Hods7uUj12". This ensures the token’s integrity and authenticity.
• Claims:
  The token contains claims such as the user's email. Claims provide a way to include additional data about the user in the token.
• Token Expiry:
  The token does not have an expiration date in this implementation (expires: null). This can be a security concern in production, as tokens should typically have a limited lifespan.

The token is then written and returned as a string, which the client can use for future authenticated requests.

Summary of Key Features:

• Registration: Users can register with an email and password, and ASP.NET Identity handles the user creation process.
• Login with Lockout: After three failed login attempts, users are locked out for a specified duration (configured in Identity settings). Upon a successful login, the failed attempt counter is reset.
• JWT Token Generation: After a successful login, the controller generates a JWT for the user, which can be used to authenticate further requests to the API.

Considerations:

• Security: The PasswordHash property should not be manually assigned; ASP.NET Identity handles password hashing. Ensure proper password validation and encryption practices are followed.
• JWT Expiration: For a production system, it's important to set an expiration time for JWTs to prevent long-term token abuse.