upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-08 16:26:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 12

feat: Add a header which signals that the request was throttled

Browse source 
Signed-off-by: Joas Schilling <coding@schilljs.com>
This commit is contained in:
Joas Schilling 2023-08-14 19:16:31 +02:00
parent 97548e789f
commit 5c0789197f
No known key found for this signature in database
GPG key ID: 74434EFE0D2E2205
1 changed files with 14 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php
View file

@ -51,6 +51,8 @@ use ReflectionMethod;
* @package OC\AppFramework\Middleware\Security
*/
class BruteForceMiddleware extends Middleware {
private int $delaySlept = 0;
public function __construct(
protected ControllerMethodReflector $reflector,
protected Throttler $throttler,
@ -67,7 +69,7 @@ class BruteForceMiddleware extends Middleware {
if ($this->reflector->hasAnnotation('BruteForceProtection')) {
$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');
$this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), $action);
$this->delaySlept += $this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), $action);
} else {
$reflectionMethod = new ReflectionMethod($controller, $methodName);
$attributes = $reflectionMethod->getAttributes(BruteForceProtection::class);
@ -79,7 +81,7 @@ class BruteForceMiddleware extends Middleware {
/** @var BruteForceProtection $protection */
$protection = $attribute->newInstance();
$action = $protection->getAction();
$this->throttler->sleepDelayOrThrowOnMax($remoteAddress, $action);
$this->delaySlept += $this->throttler->sleepDelayOrThrowOnMax($remoteAddress, $action);
}
}
}
@ -95,7 +97,7 @@ class BruteForceMiddleware extends Middleware {
$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');
$ip = $this->request->getRemoteAddress();
$this->throttler->registerAttempt($action, $ip, $response->getThrottleMetadata());
$this->throttler->sleepDelayOrThrowOnMax($ip, $action);
$this->delaySlept += $this->throttler->sleepDelayOrThrowOnMax($ip, $action);
} else {
$reflectionMethod = new ReflectionMethod($controller, $methodName);
$attributes = $reflectionMethod->getAttributes(BruteForceProtection::class);
@ -111,7 +113,7 @@ class BruteForceMiddleware extends Middleware {
if (!isset($metaData['action']) || $metaData['action'] === $action) {
$this->throttler->registerAttempt($action, $ip, $metaData);
$this->throttler->sleepDelayOrThrowOnMax($ip, $action);
$this->delaySlept += $this->throttler->sleepDelayOrThrowOnMax($ip, $action);
}
}
} else {
@ -127,6 +129,14 @@ class BruteForceMiddleware extends Middleware {
}
}
if ($this->delaySlept) {
$headers = $response->getHeaders();
if (!isset($headers['X-Nextcloud-Bruteforce-Throttled'])) {
$headers['X-Nextcloud-Bruteforce-Throttled'] = $this->delaySlept . 'ms';
$response->setHeaders($headers);
}
}
return parent::afterController($controller, $methodName, $response);
}