3 files changed, 29 insertions, 10 deletions

diff --git a/lib/private/AppConfig.php b/lib/private/AppConfig.php
index 092d37c3338..a8a6f689ffa 100644
--- a/lib/private/AppConfig.php
+++ b/lib/private/AppConfig.php
@@ -488,6 +488,14 @@ class AppConfig implements IAppConfig {
 	 * @see VALUE_ARRAY
 	 */
 	public function getValueType(string $app, string $key, ?bool $lazy = null): int {
+		$type = self::VALUE_MIXED;
+		$ignorable = $lazy ?? false;
+		$this->matchAndApplyLexiconDefinition($app, $key, $ignorable, $type);
+		if ($type !== self::VALUE_MIXED) {
+			// a modified $type means config key is set in Lexicon
+			return $type;
+		}
+
 		$this->assertParams($app, $key);
 		$this->loadConfig($app, $lazy);
 
diff --git a/lib/private/AppFramework/Middleware/PublicShare/PublicShareMiddleware.php b/lib/private/AppFramework/Middleware/PublicShare/PublicShareMiddleware.php
index 2b3025fccff..b3040673d0f 100644
--- a/lib/private/AppFramework/Middleware/PublicShare/PublicShareMiddleware.php
+++ b/lib/private/AppFramework/Middleware/PublicShare/PublicShareMiddleware.php
@@ -120,7 +120,7 @@ class PublicShareMiddleware extends Middleware {
 
 	private function throttle($bruteforceProtectionAction, $token): void {
 		$ip = $this->request->getRemoteAddress();
-		$this->throttler->sleepDelay($ip, $bruteforceProtectionAction);
+		$this->throttler->sleepDelayOrThrowOnMax($ip, $bruteforceProtectionAction);
 		$this->throttler->registerAttempt($bruteforceProtectionAction, $ip, ['token' => $token]);
 	}
 }
diff --git a/lib/private/Security/Bruteforce/Throttler.php b/lib/private/Security/Bruteforce/Throttler.php
index 21d50848641..065f720ba72 100644
--- a/lib/private/Security/Bruteforce/Throttler.php
+++ b/lib/private/Security/Bruteforce/Throttler.php
@@ -127,6 +127,13 @@ class Throttler implements IThrottler {
 	 */
 	public function getDelay(string $ip, string $action = ''): int {
 		$attempts = $this->getAttempts($ip, $action);
+		return $this->calculateDelay($attempts);
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	public function calculateDelay(int $attempts): int {
 		if ($attempts === 0) {
 			return 0;
 		}
@@ -199,25 +206,29 @@ class Throttler implements IThrottler {
 	 * {@inheritDoc}
 	 */
 	public function sleepDelayOrThrowOnMax(string $ip, string $action = ''): int {
-		$delay = $this->getDelay($ip, $action);
-		if (($delay === self::MAX_DELAY_MS) && $this->getAttempts($ip, $action, 0.5) > $this->config->getSystemValueInt('auth.bruteforce.max-attempts', self::MAX_ATTEMPTS)) {
-			$this->logger->info('IP address blocked because it reached the maximum failed attempts in the last 30 minutes [action: {action}, ip: {ip}]', [
+		$attempts = $this->getAttempts($ip, $action, 0.5);
+		if ($attempts > $this->config->getSystemValueInt('auth.bruteforce.max-attempts', self::MAX_ATTEMPTS)) {
+			$this->logger->info('IP address blocked because it reached the maximum failed attempts in the last 30 minutes [action: {action}, attempts: {attempts}, ip: {ip}]', [
 				'action' => $action,
 				'ip' => $ip,
+				'attempts' => $attempts,
 			]);
 			// If the ip made too many attempts within the last 30 mins we don't execute anymore
 			throw new MaxDelayReached('Reached maximum delay');
 		}
-		if ($delay > 100) {
-			$this->logger->info('IP address throttled because it reached the attempts limit in the last 30 minutes [action: {action}, delay: {delay}, ip: {ip}]', [
+
+		$attempts = $this->getAttempts($ip, $action);
+		if ($attempts > 10) {
+			$this->logger->info('IP address throttled because it reached the attempts limit in the last 12 hours [action: {action}, attempts: {attempts}, ip: {ip}]', [
 				'action' => $action,
 				'ip' => $ip,
-				'delay' => $delay,
+				'attempts' => $attempts,
 			]);
 		}
-		if (!$this->config->getSystemValueBool('auth.bruteforce.protection.testing')) {
-			usleep($delay * 1000);
+		if ($attempts > 0) {
+			return $this->calculateDelay($attempts);
 		}
-		return $delay;
+
+		return 0;
 	}
 }