From 8df095f3689162f8f1e37222661e3391cf4bc661 Mon Sep 17 00:00:00 2001 From: Benjamin Gaussorgues Date: Thu, 27 Jun 2024 16:14:51 +0200 Subject: [PATCH] feat: don't count failed CSRF as failed login attempt Signed-off-by: Benjamin Gaussorgues --- core/Controller/LoginController.php | 16 ++++++++++++---- tests/Core/Controller/LoginControllerTest.php | 1 - 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php index 6a29bd17282..bc332df7ecd 100644 --- a/core/Controller/LoginController.php +++ b/core/Controller/LoginController.php @@ -232,7 +232,7 @@ class LoginController extends Controller { $this->canResetPassword($passwordLink, $user) ); } - + /** * Sets the initial state of whether or not a user is allowed to login with their email * initial state is passed in the array of 1 for email allowed and 0 for not allowed @@ -326,7 +326,8 @@ class LoginController extends Controller { $user, $user, $redirect_url, - self::LOGIN_MSG_CSRFCHECKFAILED + self::LOGIN_MSG_CSRFCHECKFAILED, + false, ); } @@ -376,7 +377,12 @@ class LoginController extends Controller { * @return RedirectResponse */ private function createLoginFailedResponse( - $user, $originalUser, $redirect_url, string $loginMessage) { + $user, + $originalUser, + $redirect_url, + string $loginMessage, + bool $throttle = true, + ) { // Read current user and append if possible we need to // return the unmodified user otherwise we will leak the login name $args = $user !== null ? ['user' => $originalUser, 'direct' => 1] : []; @@ -386,7 +392,9 @@ class LoginController extends Controller { $response = new RedirectResponse( $this->urlGenerator->linkToRoute('core.login.showLoginForm', $args) ); - $response->throttle(['user' => substr($user, 0, 64)]); + if ($throttle) { + $response->throttle(['user' => substr($user, 0, 64)]); + } $this->session->set('loginMessages', [ [$loginMessage], [] ]); diff --git a/tests/Core/Controller/LoginControllerTest.php b/tests/Core/Controller/LoginControllerTest.php index 005b7d713e5..3adb62b0743 100644 --- a/tests/Core/Controller/LoginControllerTest.php +++ b/tests/Core/Controller/LoginControllerTest.php @@ -544,7 +544,6 @@ class LoginControllerTest extends TestCase { $response = $this->loginController->tryLogin($loginChain, 'Jane', $password, $originalUrl); $expected = new RedirectResponse(''); - $expected->throttle(['user' => 'Jane']); $this->assertEquals($expected, $response); } -- 2.39.5