feat: you can configure whether to record login attempts

The default is record only failure login attempts.

Author: kenjis

src/Authentication/Authenticators/JWT.php

@@ -10,6 +10,7 @@
 use CodeIgniter\Shield\Authentication\AuthenticatorInterface;
 use CodeIgniter\Shield\Authentication\Authenticators\JWT\FirebaseAdapter;
 use CodeIgniter\Shield\Authentication\Authenticators\JWT\JWTAdapterInterface;
+use CodeIgniter\Shield\Config\Auth;
 use CodeIgniter\Shield\Config\AuthJWT;
 use CodeIgniter\Shield\Entities\User;
 use CodeIgniter\Shield\Exceptions\RuntimeException;
@@ -56,6 +57,9 @@ public function __construct(UserModel $provider, ?JWTAdapterInterface $jwtAdapte
      */
     public function attempt(array $credentials): Result
     {
+        /** @var AuthJWT $config */
+        $config = config('AuthJWT');
+
         /** @var IncomingRequest $request */
         $request = service('request');
 
@@ -65,14 +69,16 @@ public function attempt(array $credentials): Result
         $result = $this->check($credentials);
 
         if (! $result->isOK()) {
-            // Always record a login attempt, whether success or not.
-            $this->tokenLoginModel->recordLoginAttempt(
-                self::ID_TYPE_JWT,
-                $credentials['token'] ?? '',
-                false,
-                $ipAddress,
-                $userAgent
-            );
+            if ($config->recordLoginAttempt >= Auth::RECORD_LOGIN_ATTEMPT_FAILURE) {
+                // Record a failed login attempt.
+                $this->tokenLoginModel->recordLoginAttempt(
+                    self::ID_TYPE_JWT,
+                    $credentials['token'] ?? '',
+                    false,
+                    $ipAddress,
+                    $userAgent
+                );
+            }
 
             return $result;
         }
@@ -81,14 +87,17 @@ public function attempt(array $credentials): Result
 
         $this->login($user);
 
-        $this->tokenLoginModel->recordLoginAttempt(
-            self::ID_TYPE_JWT,
-            $credentials['token'] ?? '',
-            true,
-            $ipAddress,
-            $userAgent,
-            $this->user->id
-        );
+        if ($config->recordLoginAttempt === Auth::RECORD_LOGIN_ATTEMPT_ALL) {
+            // Record a successful login attempt.
+            $this->tokenLoginModel->recordLoginAttempt(
+                self::ID_TYPE_JWT,
+                $credentials['token'] ?? '',
+                true,
+                $ipAddress,
+                $userAgent,
+                $this->user->id
+            );
+        }
 
         return $result;
     }

src/Config/Auth.php

@@ -15,6 +15,10 @@
 
 class Auth extends BaseConfig
 {
+    public const RECORD_LOGIN_ATTEMPT_NONE    = 0; // Do not record at all
+    public const RECORD_LOGIN_ATTEMPT_FAILURE = 1; // Record only failures
+    public const RECORD_LOGIN_ATTEMPT_ALL     = 2; // Record all login attempts
+
     /**
      * ////////////////////////////////////////////////////////////////////
      * AUTHENTICATION

src/Config/AuthJWT.php

@@ -5,7 +5,6 @@
 namespace CodeIgniter\Shield\Config;
 
 use CodeIgniter\Config\BaseConfig;
-use CodeIgniter\Shield\Authentication\Authenticators\JWT;
 
 /**
  * JWT Authenticator Configuration
@@ -38,4 +37,14 @@ class AuthJWT extends BaseConfig
      * Specifies the amount of time, in seconds, that a token is valid.
      */
     public int $timeToLive = HOUR;
+
+    /**
+     * Whether login attempts are recorded in the database.
+     *
+     * Valid values are:
+     * - Auth::RECORD_LOGIN_ATTEMPT_NONE
+     * - Auth::RECORD_LOGIN_ATTEMPT_FAILURE
+     * - Auth::RECORD_LOGIN_ATTEMPT_ALL
+     */
+    public int $recordLoginAttempt = Auth::RECORD_LOGIN_ATTEMPT_FAILURE;
 }

tests/Authentication/Authenticators/JWTAuthenticatorTest.php

@@ -197,6 +197,11 @@ public function testAttemptBadSignatureToken(): void
 
     public function testAttemptSuccess(): void
     {
+        // Change $recordLoginAttempt in Config.
+        /** @var AuthJWT $config */
+        $config                     = config('AuthJWT');
+        $config->recordLoginAttempt = Auth::RECORD_LOGIN_ATTEMPT_ALL;
+
         $token = $this->generateJWT();
 
         $result = $this->auth->attempt([