upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-06 23:34:22 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

feat: don't count failed CSRF as failed login attempt

Browse source 
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
This commit is contained in:
Benjamin Gaussorgues 2024-06-27 16:14:51 +02:00 committed by Andy Scherzinger
parent 52718fe2f5
commit 8df095f368
2 changed files with 12 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
core/Controller/LoginController.php
View file

@ -232,7 +232,7 @@ class LoginController extends Controller {
$this->canResetPassword($passwordLink, $user)
);
}
/**
* Sets the initial state of whether or not a user is allowed to login with their email
* initial state is passed in the array of 1 for email allowed and 0 for not allowed
@ -326,7 +326,8 @@ class LoginController extends Controller {
$user,
$user,
$redirect_url,
self::LOGIN_MSG_CSRFCHECKFAILED
self::LOGIN_MSG_CSRFCHECKFAILED,
false,
);
}
@ -376,7 +377,12 @@ class LoginController extends Controller {
* @return RedirectResponse
*/
private function createLoginFailedResponse(
$user, $originalUser, $redirect_url, string $loginMessage) {
$user,
$originalUser,
$redirect_url,
string $loginMessage,
bool $throttle = true,
) {
// Read current user and append if possible we need to
// return the unmodified user otherwise we will leak the login name
$args = $user !== null ? ['user' => $originalUser, 'direct' => 1] : [];
@ -386,7 +392,9 @@ class LoginController extends Controller {
$response = new RedirectResponse(
$this->urlGenerator->linkToRoute('core.login.showLoginForm', $args)
);
$response->throttle(['user' => substr($user, 0, 64)]);
if ($throttle) {
$response->throttle(['user' => substr($user, 0, 64)]);
}
$this->session->set('loginMessages', [
[$loginMessage], []
]);

1
tests/Core/Controller/LoginControllerTest.php
View file

@ -544,7 +544,6 @@ class LoginControllerTest extends TestCase {
$response = $this->loginController->tryLogin($loginChain, 'Jane', $password, $originalUrl);
$expected = new RedirectResponse('');
$expected->throttle(['user' => 'Jane']);
$this->assertEquals($expected, $response);
}