Members: Forward port of fix for member lockout issue #16988 from PR #17007 for 16 (#20441)

AndyButland · Copilot · web-flow · commit 99c2aaf17abc · 2025-10-10T09:52:57.000+02:00
* Port PR #17007 * Update src/Umbraco.Infrastructure/Security/IdentityMapDefinition.cs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
diff --git a/src/Umbraco.Infrastructure/Security/IdentityMapDefinition.cs b/src/Umbraco.Infrastructure/Security/IdentityMapDefinition.cs
@@ -95,7 +95,7 @@ private void Map(IUser source, BackOfficeIdentityUser target)
         target.IsApproved = source.IsApproved;
         target.SecurityStamp = source.SecurityStamp;
         DateTime? lockedOutUntil = source.LastLockoutDate?.AddMinutes(_securitySettings.UserDefaultLockoutTimeInMinutes);
-        target.LockoutEnd = source.IsLockedOut ? (lockedOutUntil ?? DateTime.MaxValue).ToUniversalTime() : null;
+        target.LockoutEnd = source.IsLockedOut ? lockedOutUntil ?? DateTime.MaxValue : null;
         target.Kind = source.Kind;
     }
 
@@ -114,16 +114,46 @@ private void Map(IMember source, MemberIdentityUser target)
         target.IsApproved = source.IsApproved;
         target.SecurityStamp = source.SecurityStamp;
         DateTime? lockedOutUntil = source.LastLockoutDate?.AddMinutes(_securitySettings.MemberDefaultLockoutTimeInMinutes);
-        target.LockoutEnd = source.IsLockedOut ? (lockedOutUntil ?? DateTime.MaxValue).ToUniversalTime() : null;
+        target.LockoutEnd = GetLockoutEnd(source);
+        target.LastLockoutDateUtc = GetLastLockoutDateUtc(source);
+        target.CreatedDateUtc = EnsureUtcWithServerTime(source.CreateDate);
         target.Comments = source.Comments;
-        target.LastLockoutDateUtc = source.LastLockoutDate == DateTime.MinValue
-            ? null
-            : source.LastLockoutDate?.ToUniversalTime();
-        target.CreatedDateUtc = source.CreateDate.ToUniversalTime();
         target.Key = source.Key;
         target.MemberTypeAlias = source.ContentTypeAlias;
         target.TwoFactorEnabled = _twoFactorLoginService.IsTwoFactorEnabledAsync(source.Key).GetAwaiter().GetResult();
 
         // NB: same comments re AutoMapper as per BackOfficeUser
     }
+
+    private DateTimeOffset? GetLockoutEnd(IMember source)
+    {
+        if (source.IsLockedOut is false)
+        {
+            return null;
+        }
+
+        DateTime? lockedOutUntil = source.LastLockoutDate?.AddMinutes(_securitySettings.MemberDefaultLockoutTimeInMinutes);
+        if (lockedOutUntil.HasValue is false)
+        {
+            return DateTime.MaxValue;
+        }
+
+        return EnsureUtcWithServerTime(lockedOutUntil.Value);
+    }
+
+    private static DateTime? GetLastLockoutDateUtc(IMember source)
+    {
+        if (source.LastLockoutDate is null || source.LastLockoutDate == DateTime.MinValue)
+        {
+            return null;
+        }
+
+        return EnsureUtcWithServerTime(source.LastLockoutDate.Value);
+    }
+
+    private static DateTime EnsureUtcWithServerTime(DateTime date) =>
+
+        // We have a server time value here, but the Kind is UTC, so we can't use .ToUniversalTime() to convert to the UTC
+        // value that the LockoutEnd property expects. We need to create a DateTimeOffset with the correct offset.
+        DateTime.SpecifyKind(date, DateTimeKind.Local).ToUniversalTime();
 }
