Add metadata to \OCP\AppFramework\Http\Response::throttle

Fixes https://github.com/nextcloud/server/issues/5891

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>

6 files changed, 28 insertions, 5 deletions

diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php
index 1c75b1f3c8b..12431571256 100644
--- a/core/Controller/LoginController.php
+++ b/core/Controller/LoginController.php
@@ -248,7 +248,7 @@ class LoginController extends Controller {
 				$args['redirect_url'] = $redirect_url;
 			}
 			$response = new RedirectResponse($this->urlGenerator->linkToRoute('core.login.showLoginForm', $args));
-			$response->throttle();
+			$response->throttle(['user' => $user]);
 			$this->session->set('loginMessages', [
 				['invalidpassword'], []
 			]);
diff --git a/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php b/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php
index b361f453bdb..75cf40b0ace 100644
--- a/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php
@@ -75,7 +75,7 @@ class BruteForceMiddleware extends Middleware {
 			$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');
 			$ip = $this->request->getRemoteAddress();
 			$this->throttler->sleepDelay($ip, $action);
-			$this->throttler->registerAttempt($action, $ip);
+			$this->throttler->registerAttempt($action, $ip, $response->getThrottleMetadata());
 		}
 
 		return parent::afterController($controller, $methodName, $response);
diff --git a/lib/public/AppFramework/Http/Response.php b/lib/public/AppFramework/Http/Response.php
index 087522386be..4e79e20a73f 100644
--- a/lib/public/AppFramework/Http/Response.php
+++ b/lib/public/AppFramework/Http/Response.php
@@ -83,6 +83,8 @@ class Response {
 
 	/** @var bool */
 	private $throttled = false;
+	/** @var array */
+	private $throttleMetadata = [];
 
 	/**
 	 * Caches the response
@@ -328,10 +330,22 @@ class Response {
 	 * Marks the response as to throttle. Will be throttled when the
 	 * @BruteForceProtection annotation is added.
 	 *
+	 * @param array $metadata
 	 * @since 12.0.0
 	 */
-	public function throttle() {
+	public function throttle(array $metadata = []) {
 		$this->throttled = true;
+		$this->throttleMetadata = $metadata;
+	}
+
+	/**
+	 * Returns the throttle metadata, defaults to empty array
+	 *
+	 * @return array
+	 * @since 13.0.0
+	 */
+	public function getThrottleMetadata() {
+		return $this->throttleMetadata;
 	}
 
 	/**
diff --git a/tests/Core/Controller/LoginControllerTest.php b/tests/Core/Controller/LoginControllerTest.php
index bd2d0143caf..493bade9dd8 100644
--- a/tests/Core/Controller/LoginControllerTest.php
+++ b/tests/Core/Controller/LoginControllerTest.php
@@ -307,7 +307,7 @@ class LoginControllerTest extends TestCase {
 			->method('deleteUserValue');
 
 		$expected = new \OCP\AppFramework\Http\RedirectResponse($loginPageUrl);
-		$expected->throttle();
+		$expected->throttle(['user' => 'MyUserName']);
 		$this->assertEquals($expected, $this->loginController->tryLogin($user, $password, '/apps/files'));
 	}
 
@@ -634,7 +634,7 @@ class LoginControllerTest extends TestCase {
 			->method('createRememberMeToken');
 
 		$expected = new RedirectResponse('');
-		$expected->throttle();
+		$expected->throttle(['user' => 'john']);
 		$this->assertEquals($expected, $this->loginController->tryLogin('john@doe.com', 'just wrong', null));
 	}
 }
diff --git a/tests/lib/AppFramework/Http/ResponseTest.php b/tests/lib/AppFramework/Http/ResponseTest.php
index d8959face89..9267d862600 100644
--- a/tests/lib/AppFramework/Http/ResponseTest.php
+++ b/tests/lib/AppFramework/Http/ResponseTest.php
@@ -269,4 +269,9 @@ class ResponseTest extends \Test\TestCase {
 		$this->childResponse->throttle();
 		$this->assertTrue($this->childResponse->isThrottled());
 	}
+
+	public function testGetThrottleMetadata() {
+		$this->childResponse->throttle(['foo' => 'bar']);
+		$this->assertSame(['foo' => 'bar'], $this->childResponse->getThrottleMetadata());
+	}
 }
diff --git a/tests/lib/AppFramework/Middleware/Security/BruteForceMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/BruteForceMiddlewareTest.php
index 14d3b796846..ae2345764ff 100644
--- a/tests/lib/AppFramework/Middleware/Security/BruteForceMiddlewareTest.php
+++ b/tests/lib/AppFramework/Middleware/Security/BruteForceMiddlewareTest.php
@@ -112,6 +112,10 @@ class BruteForceMiddlewareTest extends TestCase {
 			->expects($this->once())
 			->method('isThrottled')
 			->willReturn(true);
+		$response
+			->expects($this->once())
+			->method('getThrottleMetadata')
+			->willReturn([]);
 		$this->reflector
 			->expects($this->once())
 			->method('getAnnotationParameter')