From e66bc4a8a74ad6071569ea707e986a0e21aca66d Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Thu, 19 Mar 2020 12:09:57 +0100 Subject: Send "429 Too Many Requests" in case of brute force protection Signed-off-by: Joas Schilling --- lib/private/Security/Bruteforce/Throttler.php | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) (limited to 'lib/private/Security') diff --git a/lib/private/Security/Bruteforce/Throttler.php b/lib/private/Security/Bruteforce/Throttler.php index 63c6361b9ce..8e485046602 100644 --- a/lib/private/Security/Bruteforce/Throttler.php +++ b/lib/private/Security/Bruteforce/Throttler.php @@ -34,6 +34,7 @@ use OCP\AppFramework\Utility\ITimeFactory; use OCP\IConfig; use OCP\IDBConnection; use OCP\ILogger; +use OCP\Security\Bruteforce\MaxDelayReached; /** * Class Throttler implements the bruteforce protection for security actions in @@ -50,6 +51,7 @@ use OCP\ILogger; */ class Throttler { public const LOGIN_ACTION = 'login'; + public const MAX_DELAY = 25; /** @var IDBConnection */ private $db; @@ -241,7 +243,7 @@ class Throttler { return 0; } - $maxDelay = 25; + $maxDelay = self::MAX_DELAY; $firstDelay = 0.1; if ($attempts > (8 * PHP_INT_SIZE - 1)) { // Don't ever overflow. Just assume the maxDelay time:s @@ -308,4 +310,22 @@ class Throttler { usleep($delay * 1000); return $delay; } + + /** + * Will sleep for the defined amount of time unless maximum is reached + * In case of maximum a "429 Too Many Request" response is thrown + * + * @param string $ip + * @param string $action optionally filter by action + * @return int the time spent sleeping + * @throws MaxDelayReached when reached the maximum + */ + public function sleepDelayOrThrowOnMax($ip, $action = '') { + $delay = $this->getDelay($ip, $action); + if ($delay === self::MAX_DELAY * 1000) { + throw new MaxDelayReached(); + } + usleep($delay * 1000); + return $delay; + } } -- cgit v1.2.3