diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2016-07-20 18:36:15 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2016-07-20 22:08:56 +0200 |
| commit | ba4f12baa02dfb55ec8822687896d643261440c4 (patch) | |
| tree | 5dc95ab54a2ae169951693a43ba7aa6920d6f36a /lib/private/AppFramework/Middleware | |
| parent | 7cdf6402ff9a0e07866ca8bcfcffd0e0897b646a (diff) | |
| download | nextcloud-server-ba4f12baa02dfb55ec8822687896d643261440c4.tar.gz nextcloud-server-ba4f12baa02dfb55ec8822687896d643261440c4.zip | |
Implement brute force protection
Class Throttler implements the bruteforce protection for security actions in
Nextcloud.
It is working by logging invalid login attempts to the database and slowing
down all login attempts from the same subnet. The max delay is 30 seconds and
the starting delay are 200 milliseconds. (after the first failed login)
Diffstat (limited to 'lib/private/AppFramework/Middleware')
| -rw-r--r-- | lib/private/AppFramework/Middleware/Security/CORSMiddleware.php | 25 |
1 files changed, 11 insertions, 14 deletions
diff --git a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php index 32a507623e3..04de4bc92d3 100644 --- a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php @@ -27,6 +27,7 @@ namespace OC\AppFramework\Middleware\Security; use OC\AppFramework\Middleware\Security\Exceptions\SecurityException; use OC\AppFramework\Utility\ControllerMethodReflector; use OC\Authentication\Exceptions\PasswordLoginForbiddenException; +use OC\Security\Bruteforce\Throttler; use OC\User\Session; use OCP\AppFramework\Controller; use OCP\AppFramework\Http; @@ -42,33 +43,29 @@ use OCP\IRequest; * https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS */ class CORSMiddleware extends Middleware { - - /** - * @var IRequest - */ + /** @var IRequest */ private $request; - - /** - * @var ControllerMethodReflector - */ + /** @var ControllerMethodReflector */ private $reflector; - - /** - * @var Session - */ + /** @var Session */ private $session; + /** @var Throttler */ + private $throttler; /** * @param IRequest $request * @param ControllerMethodReflector $reflector * @param Session $session + * @param Throttler $throttler */ public function __construct(IRequest $request, ControllerMethodReflector $reflector, - Session $session) { + Session $session, + Throttler $throttler) { $this->request = $request; $this->reflector = $reflector; $this->session = $session; + $this->throttler = $throttler; } /** @@ -91,7 +88,7 @@ class CORSMiddleware extends Middleware { $this->session->logout(); try { - if (!$this->session->logClientIn($user, $pass, $this->request)) { + if (!$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) { throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED); } } catch (PasswordLoginForbiddenException $ex) { |