OpenStackweb · matiasperrone-exo · May 19, 2026
diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
@@ -396,8 +396,8 @@ public function postLogin()
     {
         $max_login_attempts_2_show_captcha = $this->server_configuration_service->getConfigValue("MaxFailed.LoginAttempts.2ShowCaptcha");
         $max_login_failed_attempts = intval($this->server_configuration_service->getConfigValue("MaxFailed.Login.Attempts"));
-        $login_attempts                    = 0;
-        $username                          = '';
+        $login_attempts = (int) Session::get('captcha_failed_attempts', 0);
+        $username = '';
         $user = null;
 
         try
@@ -411,7 +411,6 @@ public function postLogin()
             if (isset($data['password']))
                 $data['password'] = trim($data['password']);
 
-            $login_attempts = intval(Request::input('login_attempts'));
             // Build the validation constraint set.
             $rules = [
                 'username' => 'required|email',
@@ -436,7 +435,10 @@ public function postLogin()
                 $connection = $data['connection'] ?? null;
 
                 try {
+                    $user = $this->auth_service->getUserByUsername($username);
                     if ($flow == "password" && $this->auth_service->login($username, $password, $remember)) {
+                        Session::forget('captcha_failed_attempts');
+                        Session::save();
                         return $this->login_strategy->postLogin();
                     }
 
@@ -468,15 +470,18 @@ public function postLogin()
 
                         $otpClaim = OAuth2OTP::fromParams($username, $connection, $password);
                         $this->auth_service->loginWithOTP($otpClaim, $client);
+                        Session::forget('captcha_failed_attempts');
+                        Session::save();
                         return $this->login_strategy->postLogin();
                     }
                 } catch (AuthenticationException $ex) {
                     // failed login attempt...
 
-                    $user = $this->auth_service->getUserByUsername($username);
-                    if (!is_null($user)) {
-                        $login_attempts = $user->getLoginFailedAttempt();
-                    }
+                    $login_attempts = $login_attempts + 1;
+                    Session::put('captcha_failed_attempts', $login_attempts);
+                    Session::save();
+
+                    // User.loginFailedAttempt drives account lockout (persisted by auth_service).
 
                     return $this->login_strategy->errorLogin
                     (
@@ -525,6 +530,9 @@ public function postLogin()
             Log::warning($ex1);
 
             $user = $this->auth_service->getUserByUsername($username);
+            $login_attempts = $login_attempts + 1;
+            Session::put('captcha_failed_attempts', $login_attempts);
+            Session::save();
 
             $response_data =    [
                 'max_login_attempts_2_show_captcha' => $max_login_attempts_2_show_captcha,

diff --git a/resources/js/login/login.js b/resources/js/login/login.js
@@ -185,7 +185,6 @@ const PasswordInputForm = ({
             <input type="hidden" value={userNameValue} id="username" name="username"/>
             <input type="hidden" value={csrfToken} id="_token" name="_token"/>
             <input type="hidden" value="password" id="flow" name="flow"/>
-            <input type="hidden" value={loginAttempts} id="login_attempts" name="login_attempts"/>
             {shouldShowCaptcha() && captchaPublicKey &&
                 <Turnstile
                     className={styles.turnstile}
@@ -271,7 +270,6 @@ const OTPInputForm = ({
                 <input type="hidden" value="otp" id="flow" name="flow"/>
                 <input type="hidden" value={otpCode} id="password" name="password"/>
                 <input type="hidden" value="email" id="connection" name="connection"/>
-                <input type="hidden" value={loginAttempts} id="login_attempts" name="login_attempts"/>
                 {shouldShowCaptcha() && captchaPublicKey &&
                     <Turnstile
                         className={styles.turnstile}

diff --git a/resources/views/auth/login.blade.php b/resources/views/auth/login.blade.php
@@ -62,8 +62,8 @@
             config.maxLoginFailedAttempts = {{Session::get("max_login_failed_attempts")}};
         @endif
 
-        @if(Session::has('login_attempts'))
-            config.loginAttempts = {{Session::get("login_attempts")}};
+        @if(Session::has('captcha_failed_attempts'))
+            config.loginAttempts = {{Session::get("captcha_failed_attempts")}};
         @endif
 
         @if(Session::has('user_is_active'))