Gitea: Login Captcha

Here is a potential development plan for solving the current issue:

Add to User model a new column LoginAttempts.
Every time a user provides a wrong password on the sign in, the LoginAttempts is incremented.
Every time a user provides a valid password on the sign in, the LoginAttempts is set to 0.

If the LoginAttempts become bigger than X, in the sign in form a new captcha field will appear.

I think we could use the existing configuration flag in order to know if we should force captcha checking after X failed attempts.
Also, I think that the number of failed login attempts X could be hardcoded to 5 directly in code.

@savionok I think a new column in user table is unnecessary. But the LoginAttempts could be saved in session.

@lunny if we are trying to stop a hack attempt by putting a captcha and reducing the odds that it's a robot attempt, we should not trust the session cookies, I believe. 🤔

@guillep2k Currently we allow one user login serval times, maybe one for your personal computer, one for working computer and one for your mobile. So store it on database one column will result in other things. If we want to do that, we needs a device management table. Of course we can do that for a long consideration.

We have depended on session cookies on login I think. Once you have a different cookie value when you logined, you will be logout.

@lunny Captchas are normally meant to tell humans from robots that can be doing a dictionary attack. If that's not our intention, why use a captcha at all? Robots will certainly not honor session cookies. 👾

Any cookies kept in the real user's computers should not be affected in any way. If they were valid, they should remain valid. No problems there.

As I understand it, the LoginAttempts column is actually meant to count login failures, not attempts (it should be named LoginFailures instead). It shouldn't affect the normal workflow of the real user, even if they use fifteen computers. If the real user logs in from another computer when LoginAttempts is maxed out, the login failure count will simply be reset to zero, even if the "robot" is failing repeatedly, but that would only give the robot three more tries. It may require the user to pass the captcha, but that's very good: knowing that someone else is trying to hack our account! 😱

Tools like RSS readers or even git's HTTP protocol will not be affected by this because they don't use the login form.

I agree @guillep2k this can be global per user and reset to zero on successful authorization

We should probably also keep last failed authorization timestamp so that we can discard failure count after x minutes has passed