CB-5322 limit latest logins by time

server/bundles/io.cloudbeaver.service.security/src/io/cloudbeaver/service/security/CBEmbeddedSecurityController.java

@@ -1685,13 +1685,15 @@ private List<UserLoginRecord> getLatestUserLogins(Connection dbCon, String authP
                     "    {table_prefix}CB_AUTH_ATTEMPT attempt" +
                     "        JOIN" +
                     "    {table_prefix}CB_AUTH_ATTEMPT_INFO info ON attempt.AUTH_ID = info.AUTH_ID" +
-                    " WHERE AUTH_PROVIDER_ID = ? AND AUTH_USERNAME = ?" +
+                    " WHERE AUTH_PROVIDER_ID = ? AND AUTH_USERNAME = ? AND attempt.CREATE_TIME > ?" +
                     " ORDER BY attempt.CREATE_TIME DESC " +
                     database.getDialect().getOffsetLimitQueryPart(0, smConfig.getMaxFailedLogin())
             )
         )) {
             dbStat.setString(1, authProviderId);
             dbStat.setString(2, inputLogin);
+            dbStat.setTimestamp(3,
+                Timestamp.valueOf(LocalDateTime.now().minusSeconds(smConfig.getBlockLoginPeriod())));
             try (ResultSet dbResult = dbStat.executeQuery()) {
                 while (dbResult.next()) {
                     UserLoginRecord loginDto = new UserLoginRecord(

server/bundles/io.cloudbeaver.service.security/src/io/cloudbeaver/service/security/bruteforce/BruteForceUtils.java

@@ -30,21 +30,22 @@
 
     private static final Log log = Log.getLog(BruteForceUtils.class);
 
-    public static void checkBruteforce(SMControllerConfiguration smConfig, List<UserLoginRecord> latestLogins) throws DBException {
-        if (latestLogins.isEmpty()) {
+    public static void checkBruteforce(SMControllerConfiguration smConfig, List<UserLoginRecord> latestLoginAttempts)
+        throws DBException {
+        if (latestLoginAttempts.isEmpty()) {
             return;
         }
 
-        var latestLogin = latestLogins.get(0);
-        checkLoginInterval(latestLogin.time(), smConfig.getMinimumLoginTimeout());
+        var oldestLoginAttempt = latestLoginAttempts.get(latestLoginAttempts.size() - 1);
+        checkLoginInterval(oldestLoginAttempt.time(), smConfig.getMinimumLoginTimeout());
 
-        long errorsCount = latestLogins.stream()
+        long errorsCount = latestLoginAttempts.stream()
             .filter(authAttemptSessionInfo -> authAttemptSessionInfo.smAuthStatus() == SMAuthStatus.ERROR).count();
 
         boolean shouldBlock = errorsCount >= smConfig.getMaxFailedLogin();
         if (shouldBlock) {
             int blockPeriod = smConfig.getBlockLoginPeriod();
-            LocalDateTime unblockTime = latestLogin.time().plusSeconds(blockPeriod);
+            LocalDateTime unblockTime = oldestLoginAttempt.time().plusSeconds(blockPeriod);
 
             LocalDateTime now = LocalDateTime.now();
             shouldBlock = unblockTime.isAfter(now);
@@ -54,7 +55,7 @@
                 Duration lockDuration = Duration.ofSeconds(smConfig.getBlockLoginPeriod());
 
                 throw new SMException("Blocked the possibility of login for this user for " +
-                    lockDuration.minus(Duration.between(latestLogin.time(), now)).getSeconds() + " seconds");
+                    lockDuration.minus(Duration.between(oldestLoginAttempt.time(), now)).getSeconds() + " seconds");
             }
         }
     }