diff options
author | Joas Schilling <coding@schilljs.com> | 2023-08-14 19:16:31 +0200 |
---|---|---|
committer | Joas Schilling <coding@schilljs.com> | 2023-08-23 06:44:06 +0200 |
commit | 5c0789197f2f8f6d4ca088d28f4aae2fc4b8e351 (patch) | |
tree | d0bf7d7f8c8fcedb27e7989bf10505f2d329c9b2 /lib | |
parent | 97548e789fd09685d79ad4bf28c59d7067ca55b4 (diff) | |
download | nextcloud-server-5c0789197f2f8f6d4ca088d28f4aae2fc4b8e351.tar.gz nextcloud-server-5c0789197f2f8f6d4ca088d28f4aae2fc4b8e351.zip |
feat: Add a header which signals that the request was throttled
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php b/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php index 2ecd26a68e1..6a943af2a1f 100644 --- a/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php @@ -51,6 +51,8 @@ use ReflectionMethod; * @package OC\AppFramework\Middleware\Security */ class BruteForceMiddleware extends Middleware { + private int $delaySlept = 0; + public function __construct( protected ControllerMethodReflector $reflector, protected Throttler $throttler, @@ -67,7 +69,7 @@ class BruteForceMiddleware extends Middleware { if ($this->reflector->hasAnnotation('BruteForceProtection')) { $action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action'); - $this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), $action); + $this->delaySlept += $this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), $action); } else { $reflectionMethod = new ReflectionMethod($controller, $methodName); $attributes = $reflectionMethod->getAttributes(BruteForceProtection::class); @@ -79,7 +81,7 @@ class BruteForceMiddleware extends Middleware { /** @var BruteForceProtection $protection */ $protection = $attribute->newInstance(); $action = $protection->getAction(); - $this->throttler->sleepDelayOrThrowOnMax($remoteAddress, $action); + $this->delaySlept += $this->throttler->sleepDelayOrThrowOnMax($remoteAddress, $action); } } } @@ -95,7 +97,7 @@ class BruteForceMiddleware extends Middleware { $action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action'); $ip = $this->request->getRemoteAddress(); $this->throttler->registerAttempt($action, $ip, $response->getThrottleMetadata()); - $this->throttler->sleepDelayOrThrowOnMax($ip, $action); + $this->delaySlept += $this->throttler->sleepDelayOrThrowOnMax($ip, $action); } else { $reflectionMethod = new ReflectionMethod($controller, $methodName); $attributes = $reflectionMethod->getAttributes(BruteForceProtection::class); @@ -111,7 +113,7 @@ class BruteForceMiddleware extends Middleware { if (!isset($metaData['action']) || $metaData['action'] === $action) { $this->throttler->registerAttempt($action, $ip, $metaData); - $this->throttler->sleepDelayOrThrowOnMax($ip, $action); + $this->delaySlept += $this->throttler->sleepDelayOrThrowOnMax($ip, $action); } } } else { @@ -127,6 +129,14 @@ class BruteForceMiddleware extends Middleware { } } + if ($this->delaySlept) { + $headers = $response->getHeaders(); + if (!isset($headers['X-Nextcloud-Bruteforce-Throttled'])) { + $headers['X-Nextcloud-Bruteforce-Throttled'] = $this->delaySlept . 'ms'; + $response->setHeaders($headers); + } + } + return parent::afterController($controller, $methodName, $response); } |