Lukas Reschke
9 years ago
No known key found for this signature in database
GPG Key ID: B9F6980CF6E759B1
6 changed files with
28 additions and
5 deletions
-
core/Controller/LoginController.php
-
lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php
-
lib/public/AppFramework/Http/Response.php
-
tests/Core/Controller/LoginControllerTest.php
-
tests/lib/AppFramework/Http/ResponseTest.php
-
tests/lib/AppFramework/Middleware/Security/BruteForceMiddlewareTest.php
|
|
|
@ -248,7 +248,7 @@ class LoginController extends Controller { |
|
|
|
$args['redirect_url'] = $redirect_url; |
|
|
|
} |
|
|
|
$response = new RedirectResponse($this->urlGenerator->linkToRoute('core.login.showLoginForm', $args)); |
|
|
|
$response->throttle(); |
|
|
|
$response->throttle(['user' => $user]); |
|
|
|
$this->session->set('loginMessages', [ |
|
|
|
['invalidpassword'], [] |
|
|
|
]); |
|
|
|
|
|
|
|
@ -75,7 +75,7 @@ class BruteForceMiddleware extends Middleware { |
|
|
|
$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action'); |
|
|
|
$ip = $this->request->getRemoteAddress(); |
|
|
|
$this->throttler->sleepDelay($ip, $action); |
|
|
|
$this->throttler->registerAttempt($action, $ip); |
|
|
|
$this->throttler->registerAttempt($action, $ip, $response->getThrottleMetadata()); |
|
|
|
} |
|
|
|
|
|
|
|
return parent::afterController($controller, $methodName, $response); |
|
|
|
|
|
|
|
@ -83,6 +83,8 @@ class Response { |
|
|
|
|
|
|
|
/** @var bool */ |
|
|
|
private $throttled = false; |
|
|
|
/** @var array */ |
|
|
|
private $throttleMetadata = []; |
|
|
|
|
|
|
|
/** |
|
|
|
* Caches the response |
|
|
|
@ -328,10 +330,22 @@ class Response { |
|
|
|
* Marks the response as to throttle. Will be throttled when the |
|
|
|
* @BruteForceProtection annotation is added. |
|
|
|
* |
|
|
|
* @param array $metadata |
|
|
|
* @since 12.0.0 |
|
|
|
*/ |
|
|
|
public function throttle() { |
|
|
|
public function throttle(array $metadata = []) { |
|
|
|
$this->throttled = true; |
|
|
|
$this->throttleMetadata = $metadata; |
|
|
|
} |
|
|
|
|
|
|
|
/** |
|
|
|
* Returns the throttle metadata, defaults to empty array |
|
|
|
* |
|
|
|
* @return array |
|
|
|
* @since 13.0.0 |
|
|
|
*/ |
|
|
|
public function getThrottleMetadata() { |
|
|
|
return $this->throttleMetadata; |
|
|
|
} |
|
|
|
|
|
|
|
/** |
|
|
|
|
|
|
|
@ -307,7 +307,7 @@ class LoginControllerTest extends TestCase { |
|
|
|
->method('deleteUserValue'); |
|
|
|
|
|
|
|
$expected = new \OCP\AppFramework\Http\RedirectResponse($loginPageUrl); |
|
|
|
$expected->throttle(); |
|
|
|
$expected->throttle(['user' => 'MyUserName']); |
|
|
|
$this->assertEquals($expected, $this->loginController->tryLogin($user, $password, '/apps/files')); |
|
|
|
} |
|
|
|
|
|
|
|
@ -634,7 +634,7 @@ class LoginControllerTest extends TestCase { |
|
|
|
->method('createRememberMeToken'); |
|
|
|
|
|
|
|
$expected = new RedirectResponse(''); |
|
|
|
$expected->throttle(); |
|
|
|
$expected->throttle(['user' => 'john']); |
|
|
|
$this->assertEquals($expected, $this->loginController->tryLogin('john@doe.com', 'just wrong', null)); |
|
|
|
} |
|
|
|
} |
|
|
|
@ -269,4 +269,9 @@ class ResponseTest extends \Test\TestCase { |
|
|
|
$this->childResponse->throttle(); |
|
|
|
$this->assertTrue($this->childResponse->isThrottled()); |
|
|
|
} |
|
|
|
|
|
|
|
public function testGetThrottleMetadata() { |
|
|
|
$this->childResponse->throttle(['foo' => 'bar']); |
|
|
|
$this->assertSame(['foo' => 'bar'], $this->childResponse->getThrottleMetadata()); |
|
|
|
} |
|
|
|
} |
|
|
|
@ -112,6 +112,10 @@ class BruteForceMiddlewareTest extends TestCase { |
|
|
|
->expects($this->once()) |
|
|
|
->method('isThrottled') |
|
|
|
->willReturn(true); |
|
|
|
$response |
|
|
|
->expects($this->once()) |
|
|
|
->method('getThrottleMetadata') |
|
|
|
->willReturn([]); |
|
|
|
$this->reflector |
|
|
|
->expects($this->once()) |
|
|
|
->method('getAnnotationParameter') |
|
|
|
|
