Skip to content

Commit

Permalink
feat: don't count failed CSRF as failed login attempt
Browse files Browse the repository at this point in the history
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
  • Loading branch information
Altahrim authored and backportbot[bot] committed Jul 11, 2024
1 parent ee8872d commit f30137d
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 5 deletions.
16 changes: 12 additions & 4 deletions core/Controller/LoginController.php
Original file line number Diff line number Diff line change
Expand Up @@ -232,7 +232,7 @@ private function setPasswordResetInitialState(?string $username): void {
$this->canResetPassword($passwordLink, $user)
);
}

/**
* Sets the initial state of whether or not a user is allowed to login with their email
* initial state is passed in the array of 1 for email allowed and 0 for not allowed
Expand Down Expand Up @@ -326,7 +326,8 @@ public function tryLogin(Chain $loginChain,
$user,
$user,
$redirect_url,
self::LOGIN_MSG_CSRFCHECKFAILED
self::LOGIN_MSG_CSRFCHECKFAILED,
false,
);
}

Expand Down Expand Up @@ -376,7 +377,12 @@ public function tryLogin(Chain $loginChain,
* @return RedirectResponse
*/
private function createLoginFailedResponse(
$user, $originalUser, $redirect_url, string $loginMessage) {
$user,
$originalUser,
$redirect_url,
string $loginMessage,
bool $throttle = true,
) {
// Read current user and append if possible we need to
// return the unmodified user otherwise we will leak the login name
$args = $user !== null ? ['user' => $originalUser, 'direct' => 1] : [];
Expand All @@ -386,7 +392,9 @@ private function createLoginFailedResponse(
$response = new RedirectResponse(
$this->urlGenerator->linkToRoute('core.login.showLoginForm', $args)
);
$response->throttle(['user' => substr($user, 0, 64)]);
if ($throttle) {
$response->throttle(['user' => substr($user, 0, 64)]);
}
$this->session->set('loginMessages', [
[$loginMessage], []
]);
Expand Down
1 change: 0 additions & 1 deletion tests/Core/Controller/LoginControllerTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -544,7 +544,6 @@ public function testLoginWithoutPassedCsrfCheckAndNotLoggedIn(): void {
$response = $this->loginController->tryLogin($loginChain, 'Jane', $password, $originalUrl);

$expected = new RedirectResponse('');
$expected->throttle(['user' => 'Jane']);
$this->assertEquals($expected, $response);
}

Expand Down

0 comments on commit f30137d

Please sign in to comment.