diff options
Diffstat (limited to 'plugins/auth_internal/init.php')
-rw-r--r-- | plugins/auth_internal/init.php | 30 |
1 files changed, 28 insertions, 2 deletions
diff --git a/plugins/auth_internal/init.php b/plugins/auth_internal/init.php index 9155f8165..3f5a2e977 100644 --- a/plugins/auth_internal/init.php +++ b/plugins/auth_internal/init.php @@ -50,7 +50,7 @@ class Auth_Internal extends Auth_Base { return false; } */ - if (UserHelper::check_otp($user_id, $otp)) + if ($this->check_password($user_id, $password) && UserHelper::check_otp($user_id, $otp)) return $user_id; else return false; @@ -109,7 +109,7 @@ class Auth_Internal extends Auth_Base { <?= \Controls\hidden_tag("op", "login") ?> <fieldset> - <label><?= __("Please enter your one time password:") ?></label> + <label><?= __("Please enter verification code (OTP):") ?></label> <input id="otp" dojoType="dijit.form.ValidationTextBox" required="1" autocomplete="off" size="6" name="otp" value=""/> <?= \Controls\submit_tag(__("Continue")) ?> </fieldset> @@ -150,6 +150,32 @@ class Auth_Internal extends Auth_Base { if ($user) { + // don't throttle app passwords + if (!$service && get_schema_version() >= 145) { + + if ($user->last_auth_attempt) { + $last_auth_attempt = strtotime($user->last_auth_attempt); + + if ($last_auth_attempt && time() - $last_auth_attempt < Config::get(Config::AUTH_MIN_INTERVAL)) { + Logger::log(E_USER_NOTICE, "Too many authentication attempts for {$user->login}, throttled."); + + // start an empty session to deliver login error message + if (session_status() != PHP_SESSION_ACTIVE) + session_start(); + + $_SESSION["login_error_msg"] = __("Too many authentication attempts, throttled."); + + $user->last_auth_attempt = Db::NOW(); + $user->save(); + + return false; + } + } + + $user->last_auth_attempt = Db::NOW(); + $user->save(); + } + $salt = $user['salt'] ?? ""; $login = $user['login']; $pwd_hash = $user['pwd_hash']; |