task/FOUR-30041: Account Lock Fails to Invalidate Active Login Session#8755
Merged
task/FOUR-30041: Account Lock Fails to Invalidate Active Login Session#8755
Conversation
Add middleware to block authenticated users whose status is BLOCKED or INACTIVE. Introduces EnsureAccountAllowsAccess middleware (with blockingResponseForRequest and denyAccess helpers) that logs out the user, invalidates the session, and returns a JSON 401 for API requests or redirects to login with appropriate error messages for web requests. Wire the middleware into the HTTP kernel and update ProcessMakerAuthenticate to invoke the same blocking check after successful authentication so auth:api routes (core and packages) are also enforced.
|
Contributor
|
✅ Performance tests completed. Baseline: Comparison (
|
| Metric | Baseline | Update |
|---|---|---|
| iterations | `` | `` |
| http_req_duration (avg ms) | `` | `` |
| http_req_failed (%) | `` | `` |
k6 summary — baseline (Api-10-create-users)
█ TOTAL RESULTS
HTTP
http_req_duration...: avg=114.11ms min=114.11ms med=114.11ms max=114.11ms p(90)=114.11ms p(95)=114.11ms
http_req_failed.....: 100.00% 1 out of 1
http_reqs...........: 1 3.70978/s
NETWORK
data_received.......: 3.9 kB 14 kB/s
data_sent...........: 3.2 kB 12 kB/s
Run [ 100% ] setup()
createUsers [ 0% ]
time="2026-03-23T23:17:57Z" level=error msg="Error: POST /api/1.0/groups: expected 201 or 200, got 401: {\"error\":\"Unauthenticated.\"}\n\tat setup (file:///home/runner/work/processmaker/processmaker/automated-performance-metrics/scripts/Api/10-create-users.js:52:11(46))\n" hint="script exception"
k6 summary — update (Api-10-create-users)
█ TOTAL RESULTS
HTTP
http_req_duration...: avg=181.99ms min=181.99ms med=181.99ms max=181.99ms p(90)=181.99ms p(95)=181.99ms
http_req_failed.....: 100.00% 1 out of 1
http_reqs...........: 1 2.217219/s
NETWORK
data_received.......: 5.0 kB 11 kB/s
data_sent...........: 3.2 kB 7.2 kB/s
Run [ 100% ] setup()
createUsers [ 0% ]
time="2026-03-23T23:18:28Z" level=error msg="Error: POST /api/1.0/groups: expected 201 or 200, got 401: {\"error\":\"Unauthenticated.\"}\n\tat setup (file:///home/runner/work/processmaker/processmaker/automated-performance-metrics/scripts/Api/10-create-users.js:52:11(46))\n" hint="script exception"
Comparison (Api-20-users-index)
| Metric | Baseline | Update |
|---|---|---|
| iterations | 68 34.034563/s |
61 30.557908/s |
| http_req_duration (avg ms) | `` | `` |
| http_req_failed (%) | `` | `` |
k6 summary — baseline (Api-20-users-index)
█ TOTAL RESULTS
checks_total.......: 68 34.034563/s
checks_succeeded...: 0.00% 0 out of 68
checks_failed......: 100.00% 68 out of 68
✗ status is 200
↳ 0% — ✓ 0 / ✗ 68
HTTP
http_req_duration....: avg=497.13ms min=207ms med=488.19ms max=760.15ms p(90)=704.98ms p(95)=742.41ms
http_req_failed......: 100.00% 68 out of 68
http_reqs............: 68 34.034563/s
EXECUTION
iteration_duration...: avg=513.98ms min=256.26ms med=501.18ms max=823.43ms p(90)=705.1ms p(95)=758.03ms
iterations...........: 68 34.034563/s
vus..................: 20 min=20 max=20
vus_max..............: 20 min=20 max=20
NETWORK
data_received........: 112 kB 56 kB/s
data_sent............: 66 kB 33 kB/s
running (02.0s), 00/20 VUs, 68 complete and 20 interrupted iterations
default ✗ [ 20% ] 20 VUs 02.0s/10s
time="2026-03-23T23:17:59Z" level=error msg="thresholds on metrics 'http_req_failed' were crossed; at least one has abortOnFail enabled, stopping test prematurely"
k6 summary — update (Api-20-users-index)
█ TOTAL RESULTS
checks_total.......: 61 30.557908/s
checks_succeeded...: 0.00% 0 out of 61
checks_failed......: 100.00% 61 out of 61
✗ status is 200
↳ 0% — ✓ 0 / ✗ 61
HTTP
http_req_duration....: avg=533.98ms min=295.04ms med=520.18ms max=835.37ms p(90)=723.42ms p(95)=748.15ms
http_req_failed......: 100.00% 61 out of 61
http_reqs............: 61 30.557908/s
EXECUTION
iteration_duration...: avg=573.48ms min=295.14ms med=553.29ms max=967.52ms p(90)=729.35ms p(95)=848.02ms
iterations...........: 61 30.557908/s
vus..................: 20 min=20 max=20
vus_max..............: 20 min=20 max=20
NETWORK
data_received........: 108 kB 54 kB/s
data_sent............: 66 kB 33 kB/s
running (02.0s), 00/20 VUs, 61 complete and 20 interrupted iterations
default ✗ [ 20% ] 20 VUs 02.0s/10s
time="2026-03-23T23:18:30Z" level=error msg="thresholds on metrics 'http_req_failed' were crossed; at least one has abortOnFail enabled, stopping test prematurely"
Contributor
|
✅ Performance tests completed. Baseline: Comparison (
|
| Metric | Baseline | Update |
|---|---|---|
| iterations | `` | `` |
| http_req_duration (avg ms) | `` | `` |
| http_req_failed (%) | `` | `` |
k6 summary — baseline (Api-10-create-users)
█ TOTAL RESULTS
HTTP
http_req_duration...: avg=219.17ms min=219.17ms med=219.17ms max=219.17ms p(90)=219.17ms p(95)=219.17ms
http_req_failed.....: 100.00% 1 out of 1
http_reqs...........: 1 2.332497/s
NETWORK
data_received.......: 5.0 kB 12 kB/s
data_sent...........: 3.2 kB 7.5 kB/s
Run [ 100% ] setup()
createUsers [ 0% ]
time="2026-03-24T15:44:10Z" level=error msg="Error: POST /api/1.0/groups: expected 201 or 200, got 401: {\"error\":\"Unauthenticated.\"}\n\tat setup (file:///home/runner/work/processmaker/processmaker/automated-performance-metrics/scripts/Api/10-create-users.js:52:11(46))\n" hint="script exception"
k6 summary — update (Api-10-create-users)
█ TOTAL RESULTS
HTTP
http_req_duration...: avg=170.3ms min=170.3ms med=170.3ms max=170.3ms p(90)=170.3ms p(95)=170.3ms
http_req_failed.....: 100.00% 1 out of 1
http_reqs...........: 1 2.880757/s
NETWORK
data_received.......: 3.9 kB 11 kB/s
data_sent...........: 3.2 kB 9.3 kB/s
Run [ 100% ] setup()
createUsers [ 0% ]
time="2026-03-24T15:44:50Z" level=error msg="Error: POST /api/1.0/groups: expected 201 or 200, got 401: {\"error\":\"Unauthenticated.\"}\n\tat setup (file:///home/runner/work/processmaker/processmaker/automated-performance-metrics/scripts/Api/10-create-users.js:52:11(46))\n" hint="script exception"
Comparison (Api-20-users-index)
| Metric | Baseline | Update |
|---|---|---|
| iterations | 62 31.045201/s |
61 30.542695/s |
| http_req_duration (avg ms) | `` | `` |
| http_req_failed (%) | `` | `` |
k6 summary — baseline (Api-20-users-index)
█ TOTAL RESULTS
checks_total.......: 62 31.045201/s
checks_succeeded...: 0.00% 0 out of 62
checks_failed......: 100.00% 62 out of 62
✗ status is 200
↳ 0% — ✓ 0 / ✗ 62
HTTP
http_req_duration....: avg=514.99ms min=224.32ms med=519.37ms max=830.46ms p(90)=662.33ms p(95)=708.13ms
http_req_failed......: 100.00% 62 out of 62
http_reqs............: 62 31.045201/s
EXECUTION
iteration_duration...: avg=571.53ms min=286.93ms med=558.48ms max=940.62ms p(90)=759.08ms p(95)=779.88ms
iterations...........: 62 31.045201/s
vus..................: 20 min=20 max=20
vus_max..............: 20 min=20 max=20
NETWORK
data_received........: 110 kB 55 kB/s
data_sent............: 66 kB 33 kB/s
running (02.0s), 00/20 VUs, 62 complete and 20 interrupted iterations
default ✗ [ 20% ] 20 VUs 02.0s/10s
time="2026-03-24T15:44:13Z" level=error msg="thresholds on metrics 'http_req_failed' were crossed; at least one has abortOnFail enabled, stopping test prematurely"
k6 summary — update (Api-20-users-index)
█ TOTAL RESULTS
checks_total.......: 61 30.542695/s
checks_succeeded...: 0.00% 0 out of 61
checks_failed......: 100.00% 61 out of 61
✗ status is 200
↳ 0% — ✓ 0 / ✗ 61
HTTP
http_req_duration....: avg=494.3ms min=323.87ms med=482.65ms max=859.28ms p(90)=587.63ms p(95)=701ms
http_req_failed......: 100.00% 61 out of 61
http_reqs............: 61 30.542695/s
EXECUTION
iteration_duration...: avg=538.64ms min=324.05ms med=523.17ms max=996.75ms p(90)=670.34ms p(95)=842.6ms
iterations...........: 61 30.542695/s
vus..................: 20 min=20 max=20
vus_max..............: 20 min=20 max=20
NETWORK
data_received........: 106 kB 53 kB/s
data_sent............: 66 kB 33 kB/s
running (02.0s), 00/20 VUs, 61 complete and 20 interrupted iterations
default ✗ [ 20% ] 20 VUs 02.0s/10s
time="2026-03-24T15:44:52Z" level=error msg="thresholds on metrics 'http_req_failed' were crossed; at least one has abortOnFail enabled, stopping test prematurely"
nolanpro
approved these changes
Mar 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ci:performance-tests
.
Description
During the web application penetration test, it was identified that when an administrator locks or disables a user account, any already established active sessions for that user remain valid and functional.
Although the application correctly prevents new login attempts for the locked account, previously issued session tokens are not invalidated or terminated. As a result, a user who was locked out by an administrator can continue accessing the application using their existing authenticated session.
Solution
Screen.Recording.2026-03-23.at.5.53.39.PM.mov
Screen.Recording.2026-03-23.at.5.32.18.PM.mov
Related Tickets and PRs
https://processmaker.atlassian.net/browse/FOUR-30041