feat(security): Add a "testing mode" for bruteforce protection that doesn't sleep

Signed-off-by: Joas Schilling <coding@schilljs.com>
author: Joas Schilling <coding@schilljs.com> 2023-08-14 18:59:50 +0200
committer: Joas Schilling <coding@schilljs.com> 2023-08-21 16:36:03 +0200
commit: abc98d343cbd43283eee02886c3a89bd3328ed38 (patch)
tree: 8f25a9cad5598f59193849c4d32673b5dd609e0f /config
parent: a95800c647dbb91c68a545a5378f169a6abd65cc (diff)
download: nextcloud-server-abc98d343cbd43283eee02886c3a89bd3328ed38.tar.gz
nextcloud-server-abc98d343cbd43283eee02886c3a89bd3328ed38.zip
1 files changed, 13 insertions, 0 deletions
diff --git a/config/config.sample.php b/config/config.sample.php
index 210d0a8e8ce..77783021939 100644
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -353,6 +353,19 @@ $CONFIG = [
 'auth.bruteforce.protection.enabled' => true,
 
 /**
+ * Whether the bruteforce protection shipped with Nextcloud should be set to testing mode.
+ *
+ * In testing mode bruteforce attempts are still recorded, but the requests do
+ * not sleep/wait for the specified time. They will still abort with
+ * "429 Too Many Requests" when the maximum delay is reached.
+ * Enabling this is discouraged for security reasons
+ * and should only be done for debugging and on CI when running tests.
+ *
+ * Defaults to ``false``
+ */
+'auth.bruteforce.protection.testing' => false,
+
+/**
  * Whether the rate limit protection shipped with Nextcloud should be enabled or not.
  *
  * Disabling this is discouraged for security reasons.
author	Joas Schilling <coding@schilljs.com>	2023-08-14 18:59:50 +0200
committer	Joas Schilling <coding@schilljs.com>	2023-08-21 16:36:03 +0200
commit	abc98d343cbd43283eee02886c3a89bd3328ed38 (patch)
tree	8f25a9cad5598f59193849c4d32673b5dd609e0f /config
parent	a95800c647dbb91c68a545a5378f169a6abd65cc (diff)
download	nextcloud-server-abc98d343cbd43283eee02886c3a89bd3328ed38.tar.gz nextcloud-server-abc98d343cbd43283eee02886c3a89bd3328ed38.zip