add action to existing brute force protection

Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>

core/Controller/LoginController.php

@@ -205,8 +205,8 @@ class LoginController extends Controller {
 	 * @return RedirectResponse
 	 */
 	public function tryLogin($user, $password, $redirect_url, $remember_login = false, $timezone = '', $timezone_offset = '') {
-		$currentDelay = $this->throttler->getDelay($this->request->getRemoteAddress());
-		$this->throttler->sleepDelay($this->request->getRemoteAddress());
+		$currentDelay = $this->throttler->getDelay($this->request->getRemoteAddress(), 'login');
+		$this->throttler->sleepDelay($this->request->getRemoteAddress(), 'login');
 
 		// If the user is already logged in and the CSRF check does not pass then
 		// simply redirect the user to the correct page as required. This is the
@@ -230,7 +230,7 @@ class LoginController extends Controller {
 		if ($loginResult === false) {
 			$this->throttler->registerAttempt('login', $this->request->getRemoteAddress(), ['user' => $originalUser]);
 			if($currentDelay === 0) {
-				$this->throttler->sleepDelay($this->request->getRemoteAddress());
+				$this->throttler->sleepDelay($this->request->getRemoteAddress(), 'login');
 			}
 			$this->session->set('loginMessages', [
 				['invalidpassword'], []
@@ -295,15 +295,15 @@ class LoginController extends Controller {
 	 * @return DataResponse
 	 */
 	public function confirmPassword($password) {
-		$currentDelay = $this->throttler->getDelay($this->request->getRemoteAddress());
-		$this->throttler->sleepDelay($this->request->getRemoteAddress());
+		$currentDelay = $this->throttler->getDelay($this->request->getRemoteAddress(), 'sudo');
+		$this->throttler->sleepDelay($this->request->getRemoteAddress(), 'sudo');
 
 		$loginName = $this->userSession->getLoginName();
 		$loginResult = $this->userManager->checkPassword($loginName, $password);
 		if ($loginResult === false) {
 			$this->throttler->registerAttempt('sudo', $this->request->getRemoteAddress(), ['user' => $loginName]);
 			if ($currentDelay === 0) {
-				$this->throttler->sleepDelay($this->request->getRemoteAddress());
+				$this->throttler->sleepDelay($this->request->getRemoteAddress(), 'sudo');
 			}
 
 			return new DataResponse([], Http::STATUS_FORBIDDEN);

core/Controller/OCSController.php

@@ -128,7 +128,7 @@ class OCSController extends \OCP\AppFramework\OCSController {
 	 */
 	public function personCheck($login = '', $password = '') {
 		if ($login !== '' && $password !== '') {
-			$this->throttler->sleepDelay($this->request->getRemoteAddress());
+			$this->throttler->sleepDelay($this->request->getRemoteAddress(), 'login');
 			if ($this->userManager->checkPassword($login, $password)) {
 				return new DataResponse([
 					'person' => [

lib/private/User/Session.php

@@ -317,7 +317,7 @@ class Session implements IUserSession, Emitter {
 								$password,
 								IRequest $request,
 								OC\Security\Bruteforce\Throttler $throttler) {
-		$currentDelay = $throttler->sleepDelay($request->getRemoteAddress());
+		$currentDelay = $throttler->sleepDelay($request->getRemoteAddress(), 'login');
 
 		$isTokenPassword = $this->isTokenPassword($password);
 		if (!$isTokenPassword && $this->isTokenAuthEnforced()) {
@@ -334,7 +334,7 @@ class Session implements IUserSession, Emitter {
 
 			$throttler->registerAttempt('login', $request->getRemoteAddress(), ['uid' => $user]);
 			if($currentDelay === 0) {
-				$throttler->sleepDelay($request->getRemoteAddress());
+				$throttler->sleepDelay($request->getRemoteAddress(), 'login');
 			}
 			return false;
 		}
@@ -768,7 +768,7 @@ class Session implements IUserSession, Emitter {
 			try {
 				$this->tokenProvider->invalidateToken($this->session->getId());
 			} catch (SessionNotAvailableException $ex) {
-				
+
 			}
 		}
 		$this->setUser(null);