refactor: consolidate lockout logic between X11 and Wayland

Created a LockoutManager class to centralize lockout functionality
that was previously duplicated in the X11 and Wayland implementations.
This consolidation improves code maintainability and ensures consistent
behavior across different display servers.

The refactoring includes:
- New lockout.go file containing the LockoutManager implementation
- Updates to X11Locker and WaylandLocker to use the shared manager
- Removal of redundant lockout-related fields from both implementations
- Consistent lockout policy implementation and duration calculation

The UI display code remains specific to each display server while
the core security policy is now maintained in a single location.

Author: Tuxx

internal/lockout.go

@@ -0,0 +1,139 @@
+package internal
+
+import (
+	"fmt"
+	"time"
+)
+
+// LockoutManager handles authentication failures and lockout periods
+type LockoutManager struct {
+	failedAttempts  int           // Count of failed authentication attempts
+	lockoutUntil    time.Time     // Time until which input is locked out
+	lockoutActive   bool          // Whether a lockout is currently active
+	lastFailureTime time.Time     // Time of the last failed attempt
+	config          Configuration // Application configuration
+	timerRunning    bool          // Track if the countdown timer is already running
+}
+
+// NewLockoutManager creates a new lockout manager with the given configuration
+func NewLockoutManager(config Configuration) *LockoutManager {
+	return &LockoutManager{
+		failedAttempts:  0,
+		lockoutActive:   false,
+		timerRunning:    false,
+		config:          config,
+		lastFailureTime: time.Now().Add(-24 * time.Hour), // Set to past to avoid initial penalty
+	}
+}
+
+// HandleFailedAttempt processes a failed authentication and returns lockout information
+// Returns: lockoutActive (bool), lockoutDuration (time.Duration), remainingAttempts (int)
+func (lm *LockoutManager) HandleFailedAttempt() (bool, time.Duration, int) {
+	// Record the failure
+	lm.failedAttempts++
+	lm.lastFailureTime = time.Now()
+
+	Info("Authentication failed (%d/3 attempts)", lm.failedAttempts)
+
+	// If we've had 3+ failures, implement a lockout
+	if lm.failedAttempts >= 3 {
+		var lockoutDuration time.Duration
+
+		// Check if we're in debug mode
+		if lm.config.DebugExit {
+			// Use a shorter lockout in debug mode
+			lockoutDuration = 5 * time.Second
+			Info("Debug mode: Using shorter lockout duration of 5 seconds")
+		} else {
+			// Determine the lockout duration based on recent failures
+			// First lockout is 30 seconds, increases for subsequent lockouts
+			if !lm.lockoutActive {
+				// First lockout
+				lockoutDuration = 30 * time.Second
+			} else {
+				// Subsequent lockouts - increase duration but cap at 10 minutes
+				// Increase by 30 seconds each time, based on failed attempts / 3
+				lockoutDuration = 30 * time.Second * time.Duration(lm.failedAttempts/3)
+				if lockoutDuration > 10*time.Minute {
+					lockoutDuration = 10 * time.Minute
+				}
+			}
+		}
+
+		// Set the lockout time
+		lm.lockoutUntil = time.Now().Add(lockoutDuration)
+		lm.lockoutActive = true
+
+		Info("Failed %d attempts, locking out for %v", lm.failedAttempts, lockoutDuration)
+
+		// Reset counter after implementing lockout
+		remainingAttempts := 0
+		lm.failedAttempts = 0
+
+		return true, lockoutDuration, remainingAttempts
+	}
+
+	// Not locked out yet
+	remainingAttempts := 3 - lm.failedAttempts
+	return false, 0, remainingAttempts
+}
+
+// IsLockedOut checks if authentication is currently locked out
+func (lm *LockoutManager) IsLockedOut() bool {
+	if lm.lockoutActive && time.Now().Before(lm.lockoutUntil) {
+		return true
+	}
+
+	// If we were in a lockout but it's expired, clear the lockout state
+	if lm.lockoutActive && time.Now().After(lm.lockoutUntil) {
+		Info("Lockout period has expired, clearing lockout state")
+		lm.lockoutActive = false
+	}
+
+	return false
+}
+
+// GetRemainingTime returns how much time is left in the lockout
+func (lm *LockoutManager) GetRemainingTime() time.Duration {
+	if !lm.lockoutActive {
+		return 0
+	}
+
+	remaining := lm.lockoutUntil.Sub(time.Now())
+	if remaining < 0 {
+		remaining = 0
+		lm.lockoutActive = false
+	}
+
+	return remaining
+}
+
+// FormatRemainingTime returns a nicely formatted string of the remaining lockout time
+func (lm *LockoutManager) FormatRemainingTime() string {
+	remainingTime := lm.GetRemainingTime()
+	minutes := int(remainingTime.Minutes())
+	seconds := int(remainingTime.Seconds()) % 60
+	return fmt.Sprintf("%02d:%02d", minutes, seconds)
+}
+
+// ResetLockout resets the lockout state (e.g., after successful authentication)
+func (lm *LockoutManager) ResetLockout() {
+	lm.failedAttempts = 0
+	lm.lockoutActive = false
+	lm.timerRunning = false
+}
+
+// GetLockoutUntil returns the time when the lockout ends
+func (lm *LockoutManager) GetLockoutUntil() time.Time {
+	return lm.lockoutUntil
+}
+
+// IsTimerRunning returns whether the lockout timer is currently running
+func (lm *LockoutManager) IsTimerRunning() bool {
+	return lm.timerRunning
+}
+
+// SetTimerRunning sets the timer running state
+func (lm *LockoutManager) SetTimerRunning(running bool) {
+	lm.timerRunning = running
+}

internal/types.go

@@ -30,28 +30,24 @@ type IdleWatcher struct {
 
 // X11Locker implements the ScreenLocker interface for X11
 type X11Locker struct {
-	config          Configuration
-	conn            *xgb.Conn
-	screen          *xproto.ScreenInfo
-	window          xproto.Window
-	gc              xproto.Gcontext
-	width           uint16
-	height          uint16
-	helper          *LockHelper
-	mediaPlayer     *MediaPlayer
-	passwordBuf     string
-	isLocked        bool
-	passwordDots    []bool // true for filled, false for empty
-	maxDots         int
-	idleWatcher     *IdleWatcher
-	dotWindows      []xproto.Window // Track password dot windows
-	failedAttempts  int             // Count of failed authentication attempts
-	lockoutUntil    time.Time       // Time until which input is locked out
-	lockoutActive   bool            // Whether a lockout is currently active
-	timerRunning    bool            // Track if the countdown timer is already running
-	lastFailureTime time.Time       // Time of the last failed attempt
-	messageWindow   xproto.Window   // Window for displaying lockout messages
-	textGC          xproto.Gcontext // Graphics context for drawing text
+	config         Configuration
+	conn           *xgb.Conn
+	screen         *xproto.ScreenInfo
+	window         xproto.Window
+	gc             xproto.Gcontext
+	width          uint16
+	height         uint16
+	helper         *LockHelper
+	mediaPlayer    *MediaPlayer
+	passwordBuf    string
+	isLocked       bool
+	passwordDots   []bool // true for filled, false for empty
+	maxDots        int
+	idleWatcher    *IdleWatcher
+	dotWindows     []xproto.Window // Track password dot windows
+	lockoutManager *LockoutManager // Use the shared lockout manager
+	messageWindow  xproto.Window   // Window for displaying lockout messages
+	textGC         xproto.Gcontext // Graphics context for drawing text
 }
 
 // MediaType defines the type of media file
@@ -262,9 +258,6 @@ type WaylandLocker struct {
 	helper          *LockHelper
 	lockActive      bool
 	countdownActive bool
-	failedAttempts  int
-	lockoutUntil    time.Time
-	lockoutActive   bool
-	lastFailureTime time.Time
+	lockoutManager  *LockoutManager // Use the shared lockout manager
 	mu              sync.Mutex
 }

internal/wayland.go

@@ -108,10 +108,9 @@ func NewWaylandLocker(config Configuration) *WaylandLocker {
 		helper:          NewLockHelper(config),
 		lockActive:      false,
 		mediaPlayer:     NewMediaPlayer(config),
-		failedAttempts:  0,
-		lockoutActive:   false,
+		lockoutManager:  NewLockoutManager(config),
 		countdownActive: false,
-		securePassword:  NewSecurePassword(), // Initialize the new securePassword field
+		securePassword:  NewSecurePassword(),
 	}
 }
 
@@ -756,21 +755,15 @@ func (l *WaylandLocker) Lock() error {
 }
 
 func (l *WaylandLocker) authenticate() {
-	// Check if we're in a lockout period
-	if l.lockoutActive && time.Now().Before(l.lockoutUntil) {
+	// Check if we're in a lockout period using the lockout manager
+	if l.lockoutManager.IsLockedOut() {
 		// Still in lockout period, don't even attempt authentication
-		remainingTime := time.Until(l.lockoutUntil).Round(time.Second)
+		remainingTime := l.lockoutManager.GetRemainingTime().Round(time.Second)
 		Info("Authentication locked out for another %v", remainingTime)
 		l.securePassword.Clear()
 		return
 	}
 
-	// If we were in a lockout but it's expired, clear the lockout state
-	if l.lockoutActive && time.Now().After(l.lockoutUntil) {
-		Info("Lockout period has expired, clearing lockout state")
-		l.lockoutActive = false
-	}
-
 	if l.helper == nil {
 		l.helper = NewLockHelper(l.config)
 		Debug("Created lock helper for PAM auth")
@@ -783,6 +776,9 @@ func (l *WaylandLocker) authenticate() {
 	if result.Success {
 		Debug("Auth OK, unlocking session")
 
+		// Reset lockout on successful authentication
+		l.lockoutManager.ResetLockout()
+
 		go func() {
 			if l.mediaPlayer != nil {
 				Debug("Stopping media player")
@@ -825,46 +821,18 @@ func (l *WaylandLocker) authenticate() {
 	} else {
 		Debug("Auth failed: %s", result.Message)
 
-		// Authentication failed, increment counter
-		l.failedAttempts++
-		l.lastFailureTime = time.Now()
-		Info("Authentication failed (%d/3 attempts): %s", l.failedAttempts, result.Message)
+		// Authentication failed, use the lockout manager to handle the failed attempt
+		lockoutActive, lockoutDuration, _ := l.lockoutManager.HandleFailedAttempt()
 
 		// First, do the password shake animation
 		l.shakePasswordDots()
 
-		// Check if we should implement a lockout
-		if l.failedAttempts >= 3 {
-			// Determine lockout duration - start with 30 seconds
-			lockoutDuration := 30 * time.Second
-
-			// If in debug mode, cap at 5 seconds
-			if l.config.DebugExit {
-				lockoutDuration = 5 * time.Second
-				Info("Debug mode: Using shorter lockout duration of 5 seconds")
-			} else {
-				// If this isn't the first lockout, increase the duration
-				if l.lockoutActive {
-					// Increase by 30 seconds each time
-					lockoutDuration = 30 * time.Second * time.Duration(l.failedAttempts/3)
-					// Cap at 10 minutes
-					if lockoutDuration > 10*time.Minute {
-						lockoutDuration = 10 * time.Minute
-					}
-				}
-			}
-
-			// Set the lockout time
-			l.lockoutUntil = time.Now().Add(lockoutDuration)
-			l.lockoutActive = true
-
-			Info("Failed %d attempts, locking out for %v", l.failedAttempts, lockoutDuration)
+		// If lockout was activated, show the lockout message
+		if lockoutActive {
+			Info("Lockout activated until: %v", l.lockoutManager.GetLockoutUntil())
 
 			// Show lockout message on screen AFTER the shake animation is complete
 			l.StartCountdown("Account locked", int(lockoutDuration.Seconds()))
-
-			// Reset counter after implementing lockout
-			l.failedAttempts = 0
 		}
 	}