aboutsummaryrefslogtreecommitdiffstats
path: root/lib/private/Security/Bruteforce/Throttler.php
Commit message (Collapse)AuthorAgeFilesLines
* chore(bruteforce): allows to configure max attempts before request abortBenjamin Gaussorgues2024-12-031-2/+2
| | | | Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* style: update codestyle for coding-standard 1.2.3Daniel Kesselberg2024-08-251-2/+2
| | | | Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
* chore: Add SPDX headerAndy Scherzinger2024-05-241-27/+2
| | | | Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
* chore: apply changes from Nextcloud coding standards 1.1.1Joas Schilling2023-11-231-2/+2
| | | | | Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* Refactors lib/private/Security.Faraz Samapoor2023-09-271-3/+0
| | | | | | Mainly using PHP8's constructor property promotion. Signed-off-by: Faraz Samapoor <fsa@adlas.at>
* fix: Make bypass function public APIJoas Schilling2023-08-211-5/+5
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat: Expose if the own IP is allowed to bypass bruteforce protectionJoas Schilling2023-08-211-1/+1
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(security): Add a "testing mode" for bruteforce protection that doesn't ↵Joas Schilling2023-08-211-2/+6
| | | | | | sleep Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(security): Add a bruteforce protection backend base on memcacheJoas Schilling2023-08-211-126/+71
| | | | | | Similar to the ratelimit backend Signed-off-by: Joas Schilling <coding@schilljs.com>
* Refactors "strpos" calls in lib/private to improve code readability.Faraz Samapoor2023-05-151-1/+1
| | | | Signed-off-by: Faraz Samapoor <fsamapoor@gmail.com>
* Use typed version of IConfig::getSystemValue as much as possibleCôme Chilliet2023-04-051-2/+2
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Add a public interface for the bruteforce throttler and register for injectionJoas Schilling2022-07-281-5/+3
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Only ignore attempts of the same actionJoas Schilling2022-07-071-4/+4
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Migrate from ILogger to LoggerInterface in lib/privateCôme Chilliet2022-03-241-10/+3
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Log bruteforce throttle and blockingJoas Schilling2022-01-181-0/+11
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Don't query the bruteforce attempts when we just deleted themJoas Schilling2021-12-011-2/+6
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Update php licensesJohn Molakvoæ (skjnldsv)2021-06-041-2/+1
| | | | Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
* Limit throttler to 48 hoursRoeland Jago Douma2020-10-081-0/+5
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Format code to a single space around binary operatorsChristoph Wurst2020-10-051-3/+3
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Remove @suppress SqlInjectionCheckerMorris Jobke2020-09-161-1/+0
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Don't break when the IP is emptyJoas Schilling2020-09-101-0/+4
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Update the license headers for Nextcloud 20Christoph Wurst2020-08-241-1/+3
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Fix CSJoas Schilling2020-08-191-0/+1
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Correctly return ms delay when at maxJoas Schilling2020-08-191-3/+4
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Add missing defaultJoas Schilling2020-08-191-1/+1
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Simplify array filterJoas Schilling2020-08-191-2/+1
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Fix wrong doc + type hintJoas Schilling2020-08-191-2/+2
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Only throw when also the last 30 mins were attackingJoas Schilling2020-08-191-8/+9
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Make the throttling O(2^n) instead of O(n^n)Joas Schilling2020-08-191-9/+9
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Make Throttler strictJoas Schilling2020-08-191-9/+10
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Split delay calculation from getting the attemptsJoas Schilling2020-08-191-5/+17
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Let the database count the entriesJoas Schilling2020-08-191-2/+6
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Send "429 Too Many Requests" in case of brute force protectionJoas Schilling2020-08-191-1/+21
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Merge pull request #20005 from joeried/occ-remove-bruteforce-attempts-by-ipMorris Jobke2020-05-251-6/+29
|\ | | | | Implement occ command to reset bruteforce attemps from a given IP address
| * Fix code styleMorris Jobke2020-05-251-1/+1
| | | | | | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
| * Implement occ command security:bruteforceattemps:reset-for-ipJohannes Riedel2020-03-191-6/+29
| | | | | | | | Signed-off-by: Johannes Riedel <joeried@users.noreply.github.com>
* | Update license headers for 19Christoph Wurst2020-04-291-0/+1
| | | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Add visibility to all constantsChristoph Wurst2020-04-101-1/+1
| | | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Format control structures, classes, methods and functionChristoph Wurst2020-04-101-6/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Use elseif instead of else ifChristoph Wurst2020-04-101-1/+1
| | | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Unify function spacing to PSR2 recommendationChristoph Wurst2020-04-091-1/+1
|/ | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Update license headersChristoph Wurst2019-12-051-1/+3
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Fix the thorrtler whitelist bitmaskRoeland Jago Douma2019-02-111-2/+4
| | | | | | Before we actually didn't check each bit of the bitmask. Now we do. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Fix #9864: Decrease $maxDelay in Throttler.phpMark Berezovsky2018-06-151-1/+1
| | | | Signed-off-by: Mark Berezovsky <xpnf@yandex.ru>
* Reset bruteforce attempt table on successful loginMorris Jobke2017-11-241-0/+27
| | | | | | * only clear the entries that come from the same subnet, same action and same metadata Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Update license headersMorris Jobke2017-11-061-0/+3
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Add Phan plugin to check for SQL injectionsLukas Reschke2017-07-201-0/+1
| | | | | | | | | | This adds a phan plugin which checks for SQL injections on code using our QueryBuilder, while it isn't perfect it should already catch most potential issues. As always, static analysis will sometimes have false positives and this is also here the case. So in some cases the analyzer just doesn't know if something is potential user input or not, thus I had to add some `@suppress SqlInjectionChecker` in front of those potential injections. The Phan plugin hasn't the most awesome code but it works and I also added a file with test cases. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Mark IP as whitelisted if brute force protection is disabledLukas Reschke2017-05-011-0/+4
| | | | | | | | Currently, when disabling the brute force protection no new brute force attempts are logged. However, the ones logged within the last 24 hours will still be used for throttling. This is quite an unexpected behaviour and caused some support issues. With this change when the brute force protection is disabled also the existing attempts within the last 24 hours will be disregarded. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Add support for ratelimiting via annotationsLukas Reschke2017-04-131-65/+7
| | | | | | | | | | | | | This allows adding rate limiting via annotations to controllers, as one example: ``` @UserRateThrottle(limit=5, period=100) @AnonRateThrottle(limit=1, period=100) ``` Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Respect bruteforce settings in the ThrottlerRoeland Jago Douma2017-04-021-0/+65
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-22 03:16:23 +0000