fix: fallback to password login when mfa needs captcha

ssongliu · ssongliu · commit d8b1b772ebc5 · 2026-04-08T16:38:29.000+08:00
diff --git a/core/app/api/v2/auth.go b/core/app/api/v2/auth.go
@@ -12,6 +12,7 @@ import (
 	"github.com/1Panel-dev/1Panel/core/buserr"
 	"github.com/1Panel-dev/1Panel/core/constant"
 	"github.com/1Panel-dev/1Panel/core/global"
+	initauth "github.com/1Panel-dev/1Panel/core/init/auth"
 	"github.com/1Panel-dev/1Panel/core/utils/captcha"
 	"github.com/1Panel-dev/1Panel/core/utils/common"
 	"github.com/gin-gonic/gin"
@@ -109,6 +110,12 @@ func (b *BaseApi) MFALogin(c *gin.Context) {
 	go saveLoginLogs(c, wrapLoginErr(msgKey, err))
 	if msgKey == "ErrMFA" {
 		global.IPTracker.RecordFailure(ip)
+		failures := initauth.GetMFASessionStore().RecordFailure(req.SessionID)
+		if failures >= initauth.MFASessionMaxFailures {
+			global.IPTracker.SetNeedCaptcha(ip)
+			helper.BadAuth(c, "ErrCaptchaCode", nil)
+			return
+		}
 		helper.BadAuth(c, msgKey, err)
 		return
 	}
diff --git a/core/app/service/auth.go b/core/app/service/auth.go
@@ -114,7 +114,6 @@ func (u *AuthService) MFALogin(c *gin.Context, info dto.MFALogin, entrance strin
 	}
 	success := mfa.ValidCode(info.Code, mfaInterval.Value, mfaSecret.Value)
 	if !success {
-		mfaSessions.RecordFailure(info.SessionID)
 		return nil, "ErrMFA", nil
 	}
 	res, err := u.generateSession(c, session.Name)
diff --git a/core/init/auth/mfa_session.go b/core/init/auth/mfa_session.go
@@ -76,27 +76,27 @@ func (s *mfaSessionStore) Delete(sessionID string) {
 	delete(s.items, sessionID)
 }
 
-func (s *mfaSessionStore) RecordFailure(sessionID string) bool {
+func (s *mfaSessionStore) RecordFailure(sessionID string) int {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 
 	item, ok := s.items[sessionID]
 	if !ok {
-		return false
+		return 0
 	}
 	if time.Now().After(item.ExpiresAt) {
 		delete(s.items, sessionID)
-		return false
+		return 0
 	}
 
 	item.Failures++
 	if item.Failures >= MFASessionMaxFailures {
 		delete(s.items, sessionID)
-		return false
+		return item.Failures
 	}
 
 	s.items[sessionID] = item
-	return true
+	return item.Failures
 }
 
 func (s *mfaSessionStore) cleanupExpiredLocked() {
diff --git a/frontend/src/views/login/components/login-form.vue b/frontend/src/views/login/components/login-form.vue
@@ -437,6 +437,7 @@ const login = (formEl: FormInstance | undefined) => {
                 mfaLoginForm.code = '';
                 mfaShow.value = true;
                 errMfaInfo.value = false;
+                errCaptcha.value = false;
                 nextTick(() => {
                     mfaLoginRef.value?.focus();
                 });
@@ -485,6 +486,7 @@ const mfaLogin = async (auto: boolean) => {
     if ((!auto && mfaLoginForm.code) || (auto && mfaLoginForm.code.length === 6)) {
         isLoggingIn = true;
         try {
+            errMfaInfo.value = false;
             await mfaLoginApi(mfaLoginForm);
             globalStore.setLogStatus(true);
             menuStore.setMenuList([]);
@@ -498,14 +500,23 @@ const mfaLogin = async (auto: boolean) => {
             document.onkeydown = null;
         } catch (res) {
             if (res.code === 401) {
-                if (res.message === 'ErrMFA') {
+                if (res.message === 'ErrCaptchaCode') {
+                    globalStore.ignoreCaptcha = false;
+                    mfaLoginForm.code = '';
+                    mfaShow.value = false;
+                    loginVerify();
+                    nextTick(() => {
+                        userNameRef.value?.focus();
+                    });
+                } else if (res.message === 'ErrMFA') {
                     errMfaInfo.value = true;
                 } else if (res.message) {
                     MsgError(res.message);
                 }
                 isLoggingIn = false;
                 return;
             }
+            loginVerify();
         } finally {
             isLoggingIn = false;
         }

Original file line number	Diff line number	Diff line change
`@@ -114,7 +114,6 @@ func (u AuthService) MFALogin(c gin.Context, info dto.MFALogin, entrance strin`
`114`	`114`	`}`
`115`	`115`	`success := mfa.ValidCode(info.Code, mfaInterval.Value, mfaSecret.Value)`
`116`	`116`	`if !success {`
`117`		`- mfaSessions.RecordFailure(info.SessionID)`
`118`	`117`	`return nil, "ErrMFA", nil`
`119`	`118`	`}`
`120`	`119`	`res, err := u.generateSession(c, session.Name)`
Original file line number	Diff line number	Diff line change
`@@ -76,27 +76,27 @@ func (s *mfaSessionStore) Delete(sessionID string) {`
`76`	`76`	`delete(s.items, sessionID)`
`77`	`77`	`}`
`78`	`78`
`79`		`-func (s *mfaSessionStore) RecordFailure(sessionID string) bool {`
	`79`	`+func (s *mfaSessionStore) RecordFailure(sessionID string) int {`
`80`	`80`	`s.mu.Lock()`
`81`	`81`	`defer s.mu.Unlock()`
`82`	`82`
`83`	`83`	`item, ok := s.items[sessionID]`
`84`	`84`	`if !ok {`
`85`		`- return false`
	`85`	`+ return 0`
`86`	`86`	`}`
`87`	`87`	`if time.Now().After(item.ExpiresAt) {`
`88`	`88`	`delete(s.items, sessionID)`
`89`		`- return false`
	`89`	`+ return 0`
`90`	`90`	`}`
`91`	`91`
`92`	`92`	`item.Failures++`
`93`	`93`	`if item.Failures >= MFASessionMaxFailures {`
`94`	`94`	`delete(s.items, sessionID)`
`95`		`- return false`
	`95`	`+ return item.Failures`
`96`	`96`	`}`
`97`	`97`
`98`	`98`	`s.items[sessionID] = item`
`99`		`- return true`
	`99`	`+ return item.Failures`
`100`	`100`	`}`
`101`	`101`
`102`	`102`	`func (s *mfaSessionStore) cleanupExpiredLocked() {`