Correctly return ms delay when at max

Signed-off-by: Joas Schilling <coding@schilljs.com>

diff --git a/lib/private/Security/Bruteforce/Throttler.php b/lib/private/Security/Bruteforce/Throttler.php
index b490c6a4012c2e7bd8a029ebf85db29e36dd83ab..d7eb8b44c8abeb29b3ea4265854a6c0b1f10091a 100644 (file)
--- a/lib/private/Security/Bruteforce/Throttler.php
+++ b/lib/private/Security/Bruteforce/Throttler.php
@@ -53,6 +53,7 @@ use OCP\Security\Bruteforce\MaxDelayReached;
 class Throttler {
        public const LOGIN_ACTION = 'login';
        public const MAX_DELAY = 25;
+       public const MAX_DELAY_MS = 25000; // in milliseconds
        public const MAX_ATTEMPTS = 10;
 
        /** @var IDBConnection */
@@ -263,12 +264,12 @@ class Throttler {
                $firstDelay = 0.1;
                if ($attempts > self::MAX_ATTEMPTS) {
                        // Don't ever overflow. Just assume the maxDelay time:s
-                       return self::MAX_DELAY;
+                       return self::MAX_DELAY_MS;
                }
 
                $delay = $firstDelay * 2**$attempts;
                if ($delay > self::MAX_DELAY) {
-                       return self::MAX_DELAY;
+                       return self::MAX_DELAY_MS;
                }
                return (int) \ceil($delay * 1000);
        }
@@ -338,7 +339,7 @@ class Throttler {
         */
        public function sleepDelayOrThrowOnMax(string $ip, string $action = ''): int {
                $delay = $this->getDelay($ip, $action);
-               if (($delay === self::MAX_DELAY * 1000) && $this->getAttempts($ip, $action, 0.5) > self::MAX_ATTEMPTS) {
+               if (($delay === self::MAX_DELAY_MS) && $this->getAttempts($ip, $action, 0.5) > self::MAX_ATTEMPTS) {
                        // If the ip made too many attempts within the last 30 mins we don't execute anymore
                        throw new MaxDelayReached('Reached maximum delay');
                }