Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stable14] Bruteforce protection handling in combination with #12160

Merged
merged 3 commits into from
Nov 1, 2018
Merged

[stable14] Bruteforce protection handling in combination with #12160

merged 3 commits into from
Nov 1, 2018

Conversation

Dagefoerde
Copy link
Member

Backports

Cheers!

Signed-off-by: Jan C. Dageförde jan.dagefoerde@ercis.uni-muenster.de

@rullzer @Dagefoerde
Reset bruteforce on token refresh OAuth
71d2d3c 
When using atoken obtained via OAuth the token expires. Resulting in
brute force attempts hitting the requesting IP.

This resets the brute force attempts for that UID on a valid refresh of
the token.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
@rullzer @Dagefoerde
Move ExpiredTokenException to the correct namespace
f171378 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
@rullzer @Dagefoerde
Error out early on an expired token
e3f3212 
Fixes nextcloud#12131

If we hit an expired token there is no need to continue checking. Since
we know it is a token.

We also should not register this with the bruteforce throttler as it is
actually a valid token. Just expired. Instead the authentication should
fail. And buisness continues as usual.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
@rullzer rullzer added this to the Nextcloud 14.0.4 milestone Oct 31, 2018
@rullzer rullzer added bug 3. to review Waiting for reviews labels Oct 31, 2018
@rullzer
Copy link
Member

rullzer commented Oct 31, 2018

@Dagefoerde mind to backport to 13 as well?

MorrisJobke
MorrisJobke approved these changes Nov 1, 2018
View reviewed changes
Copy link
Member

@MorrisJobke MorrisJobke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code change looks good 👍

@MorrisJobke MorrisJobke merged commit d1d82fc into nextcloud:stable14 Nov 1, 2018
@Dagefoerde
Copy link
Member Author

@Dagefoerde mind to backport to 13 as well?

generally, sure :)

in this case, I had better not. Sorry. Rebasing your second (cleanup) commit gives funny conflicts

DU lib/private/Authentication/Token/Manager.php
DU lib/private/Authentication/Token/PublicKeyTokenProvider.php
[...]
DU tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php

... and since I'm not familiar with (the rest of) Nextcloud authentication, I'd rather leave it up to you. Not sure what the consequences would be. It's not really necessary for Moodle, though. I'll advise 14.0.4 as the minimum Nextcloud version anyway ;)

@MorrisJobke MorrisJobke mentioned this pull request Nov 13, 2018
Merged
@MorrisJobke MorrisJobke mentioned this pull request Nov 22, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MorrisJobke MorrisJobke MorrisJobke approved these changes

@rullzer rullzer rullzer approved these changes

@ChristophWurst ChristophWurst Awaiting requested review from ChristophWurst

Assignees
No one assigned
Labels
3. to review Waiting for reviews bug
Projects
None yet
Milestone
Nextcloud 14.0.4
Development

Successfully merging this pull request may close these issues.
3 participants
@Dagefoerde @rullzer @MorrisJobke