throttle login attempts, controlled by Config::AUTH_MIN_INTERVAL

author: Andrew Dolgov <[email protected]> 2021-03-12 09:35:01 +0300
committer: Andrew Dolgov <[email protected]> 2021-03-12 09:35:01 +0300
commit: 580eccd3da5c968859b293ddcd290acc78705d51 (patch)
tree: 8aa472416267ce7274953a989b6a545819a8e245 /plugins
parent: b9268fcc88f2f2ff03be2ec43f6206350cfc64f7 (diff)
1 files changed, 26 insertions, 0 deletions
diff --git a/plugins/auth_internal/init.php b/plugins/auth_internal/init.php
index e63263a5d..0aeff117e 100644
--- a/plugins/auth_internal/init.php
+++ b/plugins/auth_internal/init.php
@@ -150,6 +150,32 @@ class Auth_Internal extends Auth_Base {
 
 		if ($user) {
 
+			// don't throttle app passwords
+			if (!$service && get_schema_version() >= 145) {
+
+				if ($user->last_auth_attempt) {
+					$last_auth_attempt = strtotime($user->last_auth_attempt);
+
+					if ($last_auth_attempt && time() - $last_auth_attempt < Config::get(Config::AUTH_MIN_INTERVAL)) {
+						Logger::log(E_USER_NOTICE, "Too many authentication attempts for {$user->login}, throttled.");
+
+						// start an empty session to deliver login error message
+						if (session_status() != PHP_SESSION_ACTIVE)
+							session_start();
+
+						$_SESSION["login_error_msg"] = "Too many authentication attempts, throttled.";
+
+						$user->last_auth_attempt = Db::NOW();
+						$user->save();
+
+						return false;
+					}
+				}
+
+				$user->last_auth_attempt = Db::NOW();
+				$user->save();
+			}
+
 			$salt = $user['salt'] ?? "";
 			$login = $user['login'];
 			$pwd_hash = $user['pwd_hash'];
author	Andrew Dolgov <[email protected]>	2021-03-12 09:35:01 +0300
committer	Andrew Dolgov <[email protected]>	2021-03-12 09:35:01 +0300
commit	580eccd3da5c968859b293ddcd290acc78705d51 (patch)
tree	8aa472416267ce7274953a989b6a545819a8e245 /plugins
parent	b9268fcc88f2f2ff03be2ec43f6206350cfc64f7 (diff)