Skip to content

Send "429 Too Many Requests" in case of brute force protection #22280

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
MorrisJobke merged 15 commits into from
Aug 19, 2020
Merged

Send "429 Too Many Requests" in case of brute force protection #22280

Changes from 1 commit
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
e66bc4a
Send "429 Too Many Requests" in case of brute force protection
nickvergessen Mar 19, 2020
cdb36c8
Let the database count the entries
nickvergessen Mar 19, 2020
c8fea66
Split delay calculation from getting the attempts
nickvergessen Mar 19, 2020
64539a6
Make Throttler strict
nickvergessen Mar 19, 2020
6f751d0
Make the throttling O(2^n) instead of O(n^n)
nickvergessen Mar 19, 2020
8376c48
Only throw when also the last 30 mins were attacking
nickvergessen Mar 19, 2020
dfeee3b
Fix wrong doc + type hint
nickvergessen Mar 19, 2020
d9c4c9e
Simplify array filter
nickvergessen Mar 19, 2020
931aca2
Add missing default
nickvergessen Jun 3, 2020
770381c
Correctly return ms delay when at max
nickvergessen Jul 9, 2020
35a8519
Fix CS
nickvergessen Jul 9, 2020
41d8a7e
Fix unit tests
nickvergessen Aug 19, 2020
6f5f71d
Update autoloader
nickvergessen Aug 19, 2020
a9f22ac
More test fixing
nickvergessen Aug 19, 2020
e93bf71
Fix the return type of OC_Template->fetchPage() to be string only
MorrisJobke Aug 19, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Correctly return ms delay when at max 
Signed-off-by: Joas Schilling <[email protected]>
  • Loading branch information
@nickvergessen
nickvergessen committed Aug 19, 2020
commit 770381c0c69f43e0efa7e9e803b40a2d0d1b6496
7 changes: 4 additions & 3 deletions lib/private/Security/Bruteforce/Throttler.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@
class Throttler {
public const LOGIN_ACTION = 'login';
public const MAX_DELAY = 25;
public const MAX_DELAY_MS = 25000; // in milliseconds
public const MAX_ATTEMPTS = 10;

/** @var IDBConnection */
Expand Down Expand Up @@ -263,12 +264,12 @@ public function getDelay(string $ip, string $action = ''): int {
$firstDelay = 0.1;
if ($attempts > self::MAX_ATTEMPTS) {
// Don't ever overflow. Just assume the maxDelay time:s
return self::MAX_DELAY;
return self::MAX_DELAY_MS;
}

$delay = $firstDelay * 2**$attempts;
if ($delay > self::MAX_DELAY) {
return self::MAX_DELAY;
return self::MAX_DELAY_MS;
}
return (int) \ceil($delay * 1000);
}
Expand Down Expand Up @@ -338,7 +339,7 @@ public function sleepDelay(string $ip, string $action = ''): int {
*/
public function sleepDelayOrThrowOnMax(string $ip, string $action = ''): int {
$delay = $this->getDelay($ip, $action);
if (($delay === self::MAX_DELAY * 1000) && $this->getAttempts($ip, $action, 0.5) > self::MAX_ATTEMPTS) {
if (($delay === self::MAX_DELAY_MS) && $this->getAttempts($ip, $action, 0.5) > self::MAX_ATTEMPTS) {
// If the ip made too many attempts within the last 30 mins we don't execute anymore
throw new MaxDelayReached('Reached maximum delay');
}
Expand Down