summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoas Schilling <coding@schilljs.com>2023-08-14 18:59:50 +0200
committerJoas Schilling <coding@schilljs.com>2023-08-23 06:44:06 +0200
commit97548e789fd09685d79ad4bf28c59d7067ca55b4 (patch)
tree864b1dff6eebd279966d29a8c6c76f7701e50d3d
parentbefa2f6d51231c9f79f4c66457424870c120517a (diff)
downloadnextcloud-server-97548e789fd09685d79ad4bf28c59d7067ca55b4.tar.gz
nextcloud-server-97548e789fd09685d79ad4bf28c59d7067ca55b4.zip
feat(security): Add a "testing mode" for bruteforce protection that doesn't sleep
Signed-off-by: Joas Schilling <coding@schilljs.com>
-rw-r--r--config/config.sample.php13
-rw-r--r--lib/private/Security/Bruteforce/Throttler.php8
2 files changed, 19 insertions, 2 deletions
diff --git a/config/config.sample.php b/config/config.sample.php
index b0aac34c066..185473ea6c7 100644
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -353,6 +353,19 @@ $CONFIG = [
'auth.bruteforce.protection.enabled' => true,
/**
+ * Whether the bruteforce protection shipped with Nextcloud should be set to testing mode.
+ *
+ * In testing mode bruteforce attempts are still recorded, but the requests do
+ * not sleep/wait for the specified time. They will still abort with
+ * "429 Too Many Requests" when the maximum delay is reached.
+ * Enabling this is discouraged for security reasons
+ * and should only be done for debugging and on CI when running tests.
+ *
+ * Defaults to ``false``
+ */
+'auth.bruteforce.protection.testing' => false,
+
+/**
* Whether the rate limit protection shipped with Nextcloud should be enabled or not.
*
* Disabling this is discouraged for security reasons.
diff --git a/lib/private/Security/Bruteforce/Throttler.php b/lib/private/Security/Bruteforce/Throttler.php
index a0a41a8b4c4..01032c415ff 100644
--- a/lib/private/Security/Bruteforce/Throttler.php
+++ b/lib/private/Security/Bruteforce/Throttler.php
@@ -280,7 +280,9 @@ class Throttler implements IThrottler {
*/
public function sleepDelay(string $ip, string $action = ''): int {
$delay = $this->getDelay($ip, $action);
- usleep($delay * 1000);
+ if (!$this->config->getSystemValueBool('auth.bruteforce.protection.testing')) {
+ usleep($delay * 1000);
+ }
return $delay;
}
@@ -304,7 +306,9 @@ class Throttler implements IThrottler {
'delay' => $delay,
]);
}
- usleep($delay * 1000);
+ if (!$this->config->getSystemValueBool('auth.bruteforce.protection.testing')) {
+ usleep($delay * 1000);
+ }
return $delay;
}
}