From 5aa388bbe291a31fe96dc03836bc1c6822839109 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Wed, 21 Dec 2016 10:53:20 +0100
Subject: Make sure the loginname is set when logging in via cookie

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 lib/private/User/Session.php | 1 +
 1 file changed, 1 insertion(+)

(limited to 'lib/private/User/Session.php')

diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index dcda825b9db..1834bd025d1 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -743,6 +743,7 @@ class Session implements IUserSession, Emitter {
 
 		//login
 		$this->setUser($user);
+		$this->setLoginName($this->tokenProvider->getToken($sessionId)->getLoginName());
 		$user->updateLastLoginTimestamp();
 		$this->manager->emit('\OC\User', 'postRememberedLogin', [$user]);
 		return true;
-- 
cgit v1.2.3


From cdf01feba78696aa74b7f57a43380757d67df4aa Mon Sep 17 00:00:00 2001
From: Bjoern Schiessle <bjoern@schiessle.org>
Date: Tue, 17 Jan 2017 17:21:27 +0100
Subject: add action to existing brute force protection

Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
---
 core/Controller/LoginController.php | 12 ++++++------
 core/Controller/OCSController.php   |  2 +-
 lib/private/User/Session.php        |  6 +++---
 3 files changed, 10 insertions(+), 10 deletions(-)

(limited to 'lib/private/User/Session.php')

diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php
index 3c81ed5242a..187c818b9e1 100644
--- a/core/Controller/LoginController.php
+++ b/core/Controller/LoginController.php
@@ -205,8 +205,8 @@ class LoginController extends Controller {
 	 * @return RedirectResponse
 	 */
 	public function tryLogin($user, $password, $redirect_url, $remember_login = false, $timezone = '', $timezone_offset = '') {
-		$currentDelay = $this->throttler->getDelay($this->request->getRemoteAddress());
-		$this->throttler->sleepDelay($this->request->getRemoteAddress());
+		$currentDelay = $this->throttler->getDelay($this->request->getRemoteAddress(), 'login');
+		$this->throttler->sleepDelay($this->request->getRemoteAddress(), 'login');
 
 		// If the user is already logged in and the CSRF check does not pass then
 		// simply redirect the user to the correct page as required. This is the
@@ -230,7 +230,7 @@ class LoginController extends Controller {
 		if ($loginResult === false) {
 			$this->throttler->registerAttempt('login', $this->request->getRemoteAddress(), ['user' => $originalUser]);
 			if($currentDelay === 0) {
-				$this->throttler->sleepDelay($this->request->getRemoteAddress());
+				$this->throttler->sleepDelay($this->request->getRemoteAddress(), 'login');
 			}
 			$this->session->set('loginMessages', [
 				['invalidpassword'], []
@@ -295,15 +295,15 @@ class LoginController extends Controller {
 	 * @return DataResponse
 	 */
 	public function confirmPassword($password) {
-		$currentDelay = $this->throttler->getDelay($this->request->getRemoteAddress());
-		$this->throttler->sleepDelay($this->request->getRemoteAddress());
+		$currentDelay = $this->throttler->getDelay($this->request->getRemoteAddress(), 'sudo');
+		$this->throttler->sleepDelay($this->request->getRemoteAddress(), 'sudo');
 
 		$loginName = $this->userSession->getLoginName();
 		$loginResult = $this->userManager->checkPassword($loginName, $password);
 		if ($loginResult === false) {
 			$this->throttler->registerAttempt('sudo', $this->request->getRemoteAddress(), ['user' => $loginName]);
 			if ($currentDelay === 0) {
-				$this->throttler->sleepDelay($this->request->getRemoteAddress());
+				$this->throttler->sleepDelay($this->request->getRemoteAddress(), 'sudo');
 			}
 
 			return new DataResponse([], Http::STATUS_FORBIDDEN);
diff --git a/core/Controller/OCSController.php b/core/Controller/OCSController.php
index c59b0d7ad3f..dc9775f2603 100644
--- a/core/Controller/OCSController.php
+++ b/core/Controller/OCSController.php
@@ -128,7 +128,7 @@ class OCSController extends \OCP\AppFramework\OCSController {
 	 */
 	public function personCheck($login = '', $password = '') {
 		if ($login !== '' && $password !== '') {
-			$this->throttler->sleepDelay($this->request->getRemoteAddress());
+			$this->throttler->sleepDelay($this->request->getRemoteAddress(), 'login');
 			if ($this->userManager->checkPassword($login, $password)) {
 				return new DataResponse([
 					'person' => [
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index 1834bd025d1..9cc42e671a8 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -317,7 +317,7 @@ class Session implements IUserSession, Emitter {
 								$password,
 								IRequest $request,
 								OC\Security\Bruteforce\Throttler $throttler) {
-		$currentDelay = $throttler->sleepDelay($request->getRemoteAddress());
+		$currentDelay = $throttler->sleepDelay($request->getRemoteAddress(), 'login');
 
 		$isTokenPassword = $this->isTokenPassword($password);
 		if (!$isTokenPassword && $this->isTokenAuthEnforced()) {
@@ -334,7 +334,7 @@ class Session implements IUserSession, Emitter {
 
 			$throttler->registerAttempt('login', $request->getRemoteAddress(), ['uid' => $user]);
 			if($currentDelay === 0) {
-				$throttler->sleepDelay($request->getRemoteAddress());
+				$throttler->sleepDelay($request->getRemoteAddress(), 'login');
 			}
 			return false;
 		}
@@ -768,7 +768,7 @@ class Session implements IUserSession, Emitter {
 			try {
 				$this->tokenProvider->invalidateToken($this->session->getId());
 			} catch (SessionNotAvailableException $ex) {
-				
+
 			}
 		}
 		$this->setUser(null);
-- 
cgit v1.2.3