feat(security): Add a "testing mode" for bruteforce protection that doesn't sleep

Signed-off-by: Joas Schilling <coding@schilljs.com>
author: Joas Schilling <coding@schilljs.com> 2023-08-14 18:59:50 +0200
committer: Joas Schilling <coding@schilljs.com> 2023-08-23 06:44:06 +0200
commit: 97548e789fd09685d79ad4bf28c59d7067ca55b4 (patch)
tree: 864b1dff6eebd279966d29a8c6c76f7701e50d3d /config
parent: befa2f6d51231c9f79f4c66457424870c120517a (diff)
download: nextcloud-server-97548e789fd09685d79ad4bf28c59d7067ca55b4.tar.gz
nextcloud-server-97548e789fd09685d79ad4bf28c59d7067ca55b4.zip
1 files changed, 13 insertions, 0 deletions
diff --git a/config/config.sample.php b/config/config.sample.php
index b0aac34c066..185473ea6c7 100644
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -353,6 +353,19 @@ $CONFIG = [
 'auth.bruteforce.protection.enabled' => true,
 
 /**
+ * Whether the bruteforce protection shipped with Nextcloud should be set to testing mode.
+ *
+ * In testing mode bruteforce attempts are still recorded, but the requests do
+ * not sleep/wait for the specified time. They will still abort with
+ * "429 Too Many Requests" when the maximum delay is reached.
+ * Enabling this is discouraged for security reasons
+ * and should only be done for debugging and on CI when running tests.
+ *
+ * Defaults to ``false``
+ */
+'auth.bruteforce.protection.testing' => false,
+
+/**
  * Whether the rate limit protection shipped with Nextcloud should be enabled or not.
  *
  * Disabling this is discouraged for security reasons.
author	Joas Schilling <coding@schilljs.com>	2023-08-14 18:59:50 +0200
committer	Joas Schilling <coding@schilljs.com>	2023-08-23 06:44:06 +0200
commit	97548e789fd09685d79ad4bf28c59d7067ca55b4 (patch)
tree	864b1dff6eebd279966d29a8c6c76f7701e50d3d /config
parent	befa2f6d51231c9f79f4c66457424870c120517a (diff)
download	nextcloud-server-97548e789fd09685d79ad4bf28c59d7067ca55b4.tar.gz nextcloud-server-97548e789fd09685d79ad4bf28c59d7067ca55b4.zip