Customer who exceeded max login failures not able to login even after reset password

[tizzyguy87]

Preconditions

1. Magento CE 2.2(Headless commerce), MySqlp, PHP V7
2. Magento deployed on AWS EC2

Steps to reproduce

1. Enter invalid password more than default max limit(probably 6)
2. Reset password from admin console or using API for that customer
3. Customer receives email notification to reset password
4. Customer completes Reset Password and gives new password
5. Customer tries to login with new password
6. Customer receives error from login API - "You did not sign in correctly or your account is temporarily disabled"

Expected result

1. Customer should be allowed to login successfully as Reset Password completed successfully.

Actual result

1. Customer receives error "You did not sign in correctly or your account is temporarily disabled" even though new password hash is updated in customer entity

Other Details

I tried to set failure num to 0 in customer_entity and did password reset. Still customer is not allowed to login.

[tizzyguy87]

Magento Team,
Is there any update on this? Please provide your comments.

[miguelbalparda]

@tizzyguy87 there is a patch for this in #15534, can you check it and report back?

[tizzyguy87]

Sure. I will work on it and provide an update.

[tizzyguy87]

Hi @miguelbalparda,

We are using Magento 2.2.0. I can see that you have added only 1 line of code as a fix. There is difference in original code in file which you have modified. Which version of Magento you used?

As there is only 1 line of code, I added same line in my resetPassword method and it didn't fix the issue. I am still not able to login. Please find attached file from Magento 2.2.0 version with your fix at line number 556
AccountManagement.txt

Can you please check this.

[miguelbalparda]

It seems some code you are missing was introduced in 2.2.3. I'd recommend upgrading to the latest 2.2 available and then apply the patch to see if it fixes your issue.

[tizzyguy87]

@miguelbalparda

I upgraded Magento to 2.2.4. But unfortunately we have different issue (#15664).

So I am not able to login once user is created.

I will verify fix you have suggested once that issue is resolved. Thanks.

[tizzyguy87]

@miguelbalparda
I upgraded to 2.2.4 and I added 1 line of code which you have given. I am not able to resolve issue. Still I am getting error message after resetting password.

If I enter incorrect passwords, it is not updating failures_number and first_failure. Not sure how to fix this.

[magento-engcom-team]

Hi @tizzyguy87. Thank you for your report.
The issue has been fixed in #15534 by @andreagaspardo in 2.2-develop branch
Related commit(s):

• 18bbf2193a774d4f7db63187ff168a8f2a2690a0

The fix will be available with the upcoming 2.2.6 release.

[magento-engcom-team]

Hi @tizzyguy87. Thank you for your report.
The issue has been fixed in #16256 by @vgelani in 2.3-develop branch
Related commit(s):

• a10823350e8aadf038cbec60acb3b61311a3193c

The fix will be available with the upcoming 2.3.0 release.

[sidolov]

Hi @tizzyguy87. Thank you for your report.
The issue has been fixed in #16255 by @vgelani in 2.1-develop branch
Related commit(s):

• be0f9bcacec24c78955d5773886ab942722f1c20

The fix will be available with the upcoming 2.1.15 release.

[paul-blundell]

Has this really been fixed in 2.3? I am seeing the same issue and after checking the code against the linked commits, I am not seeing the $this->getAuthentication()->unlock($customer->getId()); line in the resetPassword function.