diff options
Diffstat (limited to 'apps/federation/lib/Controller')
| -rw-r--r-- | apps/federation/lib/Controller/OCSAuthAPIController.php | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/apps/federation/lib/Controller/OCSAuthAPIController.php b/apps/federation/lib/Controller/OCSAuthAPIController.php index 82c3e20da31..63a5fbb3155 100644 --- a/apps/federation/lib/Controller/OCSAuthAPIController.php +++ b/apps/federation/lib/Controller/OCSAuthAPIController.php @@ -38,6 +38,7 @@ use OCP\AppFramework\OCSController; use OCP\AppFramework\Utility\ITimeFactory; use OCP\BackgroundJob\IJobList; use OCP\IRequest; +use OCP\Security\Bruteforce\IThrottler; use OCP\Security\ISecureRandom; use Psr\Log\LoggerInterface; @@ -56,6 +57,7 @@ class OCSAuthAPIController extends OCSController { private DbHandler $dbHandler; private LoggerInterface $logger; private ITimeFactory $timeFactory; + private IThrottler $throttler; public function __construct( string $appName, @@ -65,7 +67,8 @@ class OCSAuthAPIController extends OCSController { TrustedServers $trustedServers, DbHandler $dbHandler, LoggerInterface $logger, - ITimeFactory $timeFactory + ITimeFactory $timeFactory, + IThrottler $throttler ) { parent::__construct($appName, $request); @@ -75,6 +78,7 @@ class OCSAuthAPIController extends OCSController { $this->dbHandler = $dbHandler; $this->logger = $logger; $this->timeFactory = $timeFactory; + $this->throttler = $throttler; } /** @@ -82,6 +86,7 @@ class OCSAuthAPIController extends OCSController { * * @NoCSRFRequired * @PublicPage + * @BruteForceProtection(action=federationSharedSecret) * * @param string $url URL of the server * @param string $token Token of the server @@ -100,6 +105,7 @@ class OCSAuthAPIController extends OCSController { * * @NoCSRFRequired * @PublicPage + * @BruteForceProtection(action=federationSharedSecret) * * @param string $url URL of the server * @param string $token Token of the server @@ -117,6 +123,7 @@ class OCSAuthAPIController extends OCSController { * * @NoCSRFRequired * @PublicPage + * @BruteForceProtection(action=federationSharedSecret) * * @param string $url URL of the server * @param string $token Token of the server @@ -127,6 +134,7 @@ class OCSAuthAPIController extends OCSController { */ public function requestSharedSecret(string $url, string $token): DataResponse { if ($this->trustedServers->isTrustedServer($url) === false) { + $this->throttler->registerAttempt('federationSharedSecret', $this->request->getRemoteAddress()); $this->logger->error('remote server not trusted (' . $url . ') while requesting shared secret', ['app' => 'federation']); throw new OCSForbiddenException(); } @@ -159,6 +167,7 @@ class OCSAuthAPIController extends OCSController { * * @NoCSRFRequired * @PublicPage + * @BruteForceProtection(action=federationSharedSecret) * * @param string $url URL of the server * @param string $token Token of the server @@ -169,11 +178,13 @@ class OCSAuthAPIController extends OCSController { */ public function getSharedSecret(string $url, string $token): DataResponse { if ($this->trustedServers->isTrustedServer($url) === false) { + $this->throttler->registerAttempt('federationSharedSecret', $this->request->getRemoteAddress()); $this->logger->error('remote server not trusted (' . $url . ') while getting shared secret', ['app' => 'federation']); throw new OCSForbiddenException(); } if ($this->isValidToken($url, $token) === false) { + $this->throttler->registerAttempt('federationSharedSecret', $this->request->getRemoteAddress()); $expectedToken = $this->dbHandler->getToken($url); $this->logger->error( 'remote server (' . $url . ') didn\'t send a valid token (got "' . $token . '" but expected "'. $expectedToken . '") while getting shared secret', |