diff options
author | Joas Schilling <coding@schilljs.com> | 2023-08-14 18:59:50 +0200 |
---|---|---|
committer | Joas Schilling <coding@schilljs.com> | 2023-08-23 06:44:06 +0200 |
commit | 97548e789fd09685d79ad4bf28c59d7067ca55b4 (patch) | |
tree | 864b1dff6eebd279966d29a8c6c76f7701e50d3d | |
parent | befa2f6d51231c9f79f4c66457424870c120517a (diff) | |
download | nextcloud-server-97548e789fd09685d79ad4bf28c59d7067ca55b4.tar.gz nextcloud-server-97548e789fd09685d79ad4bf28c59d7067ca55b4.zip |
feat(security): Add a "testing mode" for bruteforce protection that doesn't sleep
Signed-off-by: Joas Schilling <coding@schilljs.com>
-rw-r--r-- | config/config.sample.php | 13 | ||||
-rw-r--r-- | lib/private/Security/Bruteforce/Throttler.php | 8 |
2 files changed, 19 insertions, 2 deletions
diff --git a/config/config.sample.php b/config/config.sample.php index b0aac34c066..185473ea6c7 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -353,6 +353,19 @@ $CONFIG = [ 'auth.bruteforce.protection.enabled' => true, /** + * Whether the bruteforce protection shipped with Nextcloud should be set to testing mode. + * + * In testing mode bruteforce attempts are still recorded, but the requests do + * not sleep/wait for the specified time. They will still abort with + * "429 Too Many Requests" when the maximum delay is reached. + * Enabling this is discouraged for security reasons + * and should only be done for debugging and on CI when running tests. + * + * Defaults to ``false`` + */ +'auth.bruteforce.protection.testing' => false, + +/** * Whether the rate limit protection shipped with Nextcloud should be enabled or not. * * Disabling this is discouraged for security reasons. diff --git a/lib/private/Security/Bruteforce/Throttler.php b/lib/private/Security/Bruteforce/Throttler.php index a0a41a8b4c4..01032c415ff 100644 --- a/lib/private/Security/Bruteforce/Throttler.php +++ b/lib/private/Security/Bruteforce/Throttler.php @@ -280,7 +280,9 @@ class Throttler implements IThrottler { */ public function sleepDelay(string $ip, string $action = ''): int { $delay = $this->getDelay($ip, $action); - usleep($delay * 1000); + if (!$this->config->getSystemValueBool('auth.bruteforce.protection.testing')) { + usleep($delay * 1000); + } return $delay; } @@ -304,7 +306,9 @@ class Throttler implements IThrottler { 'delay' => $delay, ]); } - usleep($delay * 1000); + if (!$this->config->getSystemValueBool('auth.bruteforce.protection.testing')) { + usleep($delay * 1000); + } return $delay; } } |