From: Joas Schilling <coding@schilljs.com>
Date: Mon, 14 Aug 2023 16:59:50 +0000 (+0200)
Subject: feat(security): Add a "testing mode" for bruteforce protection that doesn't sleep
X-Git-Tag: v27.1.0beta3~7^2~6
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=97548e789fd09685d79ad4bf28c59d7067ca55b4;p=nextcloud-server.git

feat(security): Add a "testing mode" for bruteforce protection that doesn't sleep

Signed-off-by: Joas Schilling <coding@schilljs.com>
---

diff --git a/config/config.sample.php b/config/config.sample.php
index b0aac34c066..185473ea6c7 100644
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -352,6 +352,19 @@ $CONFIG = [
  */
 'auth.bruteforce.protection.enabled' => true,
 
+/**
+ * Whether the bruteforce protection shipped with Nextcloud should be set to testing mode.
+ *
+ * In testing mode bruteforce attempts are still recorded, but the requests do
+ * not sleep/wait for the specified time. They will still abort with
+ * "429 Too Many Requests" when the maximum delay is reached.
+ * Enabling this is discouraged for security reasons
+ * and should only be done for debugging and on CI when running tests.
+ *
+ * Defaults to ``false``
+ */
+'auth.bruteforce.protection.testing' => false,
+
 /**
  * Whether the rate limit protection shipped with Nextcloud should be enabled or not.
  *
diff --git a/lib/private/Security/Bruteforce/Throttler.php b/lib/private/Security/Bruteforce/Throttler.php
index a0a41a8b4c4..01032c415ff 100644
--- a/lib/private/Security/Bruteforce/Throttler.php
+++ b/lib/private/Security/Bruteforce/Throttler.php
@@ -280,7 +280,9 @@ class Throttler implements IThrottler {
 	 */
 	public function sleepDelay(string $ip, string $action = ''): int {
 		$delay = $this->getDelay($ip, $action);
-		usleep($delay * 1000);
+		if (!$this->config->getSystemValueBool('auth.bruteforce.protection.testing')) {
+			usleep($delay * 1000);
+		}
 		return $delay;
 	}
 
@@ -304,7 +306,9 @@ class Throttler implements IThrottler {
 				'delay' => $delay,
 			]);
 		}
-		usleep($delay * 1000);
+		if (!$this->config->getSystemValueBool('auth.bruteforce.protection.testing')) {
+			usleep($delay * 1000);
+		}
 		return $delay;
 	}
 }