1 files changed, 17 insertions, 30 deletions

diff --git a/Emby.Server.Implementations/Library/UserManager.cs b/Emby.Server.Implementations/Library/UserManager.cs
index a7ea13ca6..afa53ff37 100644
--- a/Emby.Server.Implementations/Library/UserManager.cs
+++ b/Emby.Server.Implementations/Library/UserManager.cs
@@ -353,11 +353,11 @@ namespace Emby.Server.Implementations.Library
                     UpdateUser(user);
                 }
 
-                UpdateInvalidLoginAttemptCount(user, 0);
+                ResetInvalidLoginAttemptCount(user);
             }
             else
             {
-                UpdateInvalidLoginAttemptCount(user, user.Policy.InvalidLoginAttemptCount + 1);
+                IncrementInvalidLoginAttemptCount(user);
             }
 
             _logger.LogInformation("Authentication request for {0} {1}.", user.Name, success ? "has succeeded" : "has been denied");
@@ -509,41 +509,28 @@ namespace Emby.Server.Implementations.Library
                 : PasswordHash.ConvertToByteString(new PasswordHash(user.EasyPassword).Hash);
         }
 
-        private void UpdateInvalidLoginAttemptCount(User user, int newValue)
+        private void ResetInvalidLoginAttemptCount(User user)
         {
-            if (user.Policy.InvalidLoginAttemptCount == newValue || newValue <= 0)
-            {
-                return;
-            }
-
-            user.Policy.InvalidLoginAttemptCount = newValue;
-
-            // Check for users without a value here and then fill in the default value
-            // also protect from an always lockout if misconfigured
-            if (user.Policy.LoginAttemptsBeforeLockout == null || user.Policy.LoginAttemptsBeforeLockout == 0)
-            {
-                user.Policy.LoginAttemptsBeforeLockout = user.Policy.IsAdministrator ? 5 : 3;
-            }
-
-            var maxCount = user.Policy.LoginAttemptsBeforeLockout;
-
-            var fireLockout = false;
+            user.Policy.InvalidLoginAttemptCount = 0;
+            UpdateUserPolicy(user, user.Policy, false);
+        }
 
-            // -1 can be used to specify no lockout value
-            if (maxCount != -1 && newValue >= maxCount)
+        private void IncrementInvalidLoginAttemptCount(User user)
+        {
+            int invalidLogins = ++user.Policy.InvalidLoginAttemptCount;
+            int maxInvalidLogins = user.Policy.LoginAttemptsBeforeLockout;
+            if (maxInvalidLogins > 0
+                && invalidLogins >= maxInvalidLogins)
             {
-                _logger.LogDebug("Disabling user {0} due to {1} unsuccessful login attempts.", user.Name, newValue);
                 user.Policy.IsDisabled = true;
-
-                fireLockout = true;
+                UserLockedOut?.Invoke(this, new GenericEventArgs<User>(user));
+                _logger.LogWarning(
+                    "Disabling user {UserName} due to {Attempts} unsuccessful login attempts.",
+                    user.Name,
+                    invalidLogins);
             }
 
             UpdateUserPolicy(user, user.Policy, false);
-
-            if (fireLockout)
-            {
-                UserLockedOut?.Invoke(this, new GenericEventArgs<User>(user));
-            }
         }
 
         /// <summary>