Merge pull request #2639 from wansir/bug

fix: auth failed response

pkg/controller/user/user_controller.go

@@ -562,7 +562,7 @@ func (c *Controller) syncUserStatus(user *iamv1alpha2.User) (*iamv1alpha2.User,
 	// blocked user, check if need to unblock user
 	if user.Status.State == iamv1alpha2.UserAuthLimitExceeded {
 		if user.Status.LastTransitionTime != nil &&
-			user.Status.LastTransitionTime.Add(c.authenticationOptions.AuthenticateRateLimiterDuration).After(time.Now()) {
+			user.Status.LastTransitionTime.Add(c.authenticationOptions.AuthenticateRateLimiterDuration).Before(time.Now()) {
 			expected := user.DeepCopy()
 			// unblock user
 			if user.Annotations[iamv1alpha2.PasswordEncryptedAnnotation] == "true" {
@@ -608,7 +608,6 @@ func (c *Controller) syncUserStatus(user *iamv1alpha2.User) (*iamv1alpha2.User,
 
 		return c.ksClient.IamV1alpha2().Users().Update(expect)
 	}
-
 	return user, nil
 }
 

pkg/kapis/oauth/handler.go

@@ -278,7 +278,9 @@ func (h *handler) passwordGrant(username string, password string, req *restful.R
 			if err := h.loginRecorder.RecordLogin(username, iamv1alpha2.Token, "", err, req.Request); err != nil {
 				klog.Error(err)
 				response.WriteError(http.StatusInternalServerError, apierrors.NewInternalError(err))
+				return
 			}
+			response.WriteError(http.StatusUnauthorized, apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)))
 			return
 		case im.AuthFailedIdentityMappingNotMatch:
 			response.WriteError(http.StatusUnauthorized, apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)))
@@ -288,6 +290,7 @@ func (h *handler) passwordGrant(username string, password string, req *restful.R
 			return
 		default:
 			response.WriteError(http.StatusInternalServerError, apierrors.NewInternalError(err))
+			return
 		}
 	}