diff options
| author | pjft <pjft@users.noreply.github.com> | 2021-05-30 21:25:34 +0100 |
|---|---|---|
| committer | pjft <paulo.j.tavares@gmail.com> | 2021-06-21 20:43:12 +0100 |
| commit | b1086e25bb9c92c939116201fe7893ab9a88123a (patch) | |
| tree | 8414c76e84a51114bc43710b2a388a0a0831cd9c /core/Controller | |
| parent | 719430559f1a1f28800a9a26d4a5492aae046730 (diff) | |
| download | nextcloud-server-b1086e25bb9c92c939116201fe7893ab9a88123a.tar.gz nextcloud-server-b1086e25bb9c92c939116201fe7893ab9a88123a.zip | |
Add logging to 2FA failure
For security reasons, we may want to monitor failures of 2FA challenges in order to ban attackers who might try to access compromised accounts but are stopped by the 2FA challenge.
Right now, the only hindrance is rate-limiting, but it's probably not enough.
Added dependency injection.
Signed-off-by: pjft <paulo.j.tavares@gmail.com>
Diffstat (limited to 'core/Controller')
| -rw-r--r-- | core/Controller/TwoFactorChallengeController.php | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/core/Controller/TwoFactorChallengeController.php b/core/Controller/TwoFactorChallengeController.php index a9e1ee35917..7deefaba4e6 100644 --- a/core/Controller/TwoFactorChallengeController.php +++ b/core/Controller/TwoFactorChallengeController.php @@ -36,6 +36,7 @@ use OCP\Authentication\TwoFactorAuth\IActivatableAtLogin; use OCP\Authentication\TwoFactorAuth\IProvider; use OCP\Authentication\TwoFactorAuth\IProvidesCustomCSP; use OCP\Authentication\TwoFactorAuth\TwoFactorException; +use OCP\ILogger; use OCP\IRequest; use OCP\ISession; use OCP\IURLGenerator; @@ -52,6 +53,9 @@ class TwoFactorChallengeController extends Controller { /** @var ISession */ private $session; + /** @var ILogger */ + private $logger; + /** @var IURLGenerator */ private $urlGenerator; @@ -62,14 +66,16 @@ class TwoFactorChallengeController extends Controller { * @param IUserSession $userSession * @param ISession $session * @param IURLGenerator $urlGenerator + * @param ILogger $logger */ public function __construct($appName, IRequest $request, Manager $twoFactorManager, IUserSession $userSession, - ISession $session, IURLGenerator $urlGenerator) { + ISession $session, IURLGenerator $urlGenerator, ILogger $logger) { parent::__construct($appName, $request); $this->twoFactorManager = $twoFactorManager; $this->userSession = $userSession; $this->session = $session; $this->urlGenerator = $urlGenerator; + $this->logger = $logger; } /** @@ -209,6 +215,9 @@ class TwoFactorChallengeController extends Controller { $this->session->set('two_factor_auth_error_message', $e->getMessage()); } + $ip = $this->request->getRemoteAddress(); + $uid = $user->getUID(); + $this->logger->warning("Two-factor challenge failed: $uid (Remote IP: $ip)"); $this->session->set('two_factor_auth_error', true); return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.showChallenge', [ 'challengeProviderId' => $provider->getId(), |