public/tt-rss
1
0
Fork 0
mirror of https://git.tt-rss.org/git/tt-rss.git synced 2025-12-13 15:25:59 +00:00
Code Issues Releases Wiki Activity

throttle login attempts, controlled by Config::AUTH_MIN_INTERVAL

Browse Source
This commit is contained in:
Andrew Dolgov
2021-03-12 09:35:01 +03:00
parent b9268fcc88
commit 580eccd3da
2 changed files with 30 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
plugins/auth_internal/init.php
View File

@@ -150,6 +150,32 @@ class Auth_Internal extends Auth_Base {
if ($user) {
// don't throttle app passwords
if (!$service && get_schema_version() >= 145) {
if ($user->last_auth_attempt) {
$last_auth_attempt = strtotime($user->last_auth_attempt);
if ($last_auth_attempt && time() - $last_auth_attempt < Config::get(Config::AUTH_MIN_INTERVAL)) {
Logger::log(E_USER_NOTICE, "Too many authentication attempts for {$user->login}, throttled.");
// start an empty session to deliver login error message
if (session_status() != PHP_SESSION_ACTIVE)
session_start();
$_SESSION["login_error_msg"] = "Too many authentication attempts, throttled.";
$user->last_auth_attempt = Db::NOW();
$user->save();
return false;
}
}
$user->last_auth_attempt = Db::NOW();
$user->save();
}
$salt = $user['salt'] ?? "";
$login = $user['login'];
$pwd_hash = $user['pwd_hash'];