Protect public links password page

[PVince81]

@karakayasemi @pmaier1

From owncloud/core#33542

[karakayasemi]

We already can count failed share access attempts by using share.linkaccess event.

I tried to emit an event before the password check of the public link and listen to it in brute_force_protection app. Throwing an exception in this event callback is enough for blocking brute force attempt.

If is it okay to add new events to the core for pre-post public link password check, I can start to implement this feature.
@PVince81, @DeepDiver1975 what are your thoughts?

[PVince81]

@karakayasemi sounds good. I thought we already had such events.

[pmaier1]

Yeah, sounds good, nice feature addition!

[PVince81]

was the core PR the only one needed or does the app require modifications as well ? @karakayasemi

[karakayasemi]

No, the core PR was prerequisite for the desired feature. Now, we can count failed share access attempts by using share.linkaccess event and block attacker by using newly added share.beforelinkauth event.

In the failed login, we have a blocking policy based on uid+ip combination.
In here I guess we should use share_id+ip combination. For this purpose, I am planning to create a new table similar to this https://github.com/owncloud/brute_force_protection/blob/master/appinfo/Migrations/Version20180802194631.php#L26 and only change uid column to share_id. Another option is changing the current bfp_failed_logins table's uid column to a more generic one and use it for both features.

Also, the admin panel needs modification to configure the new feature's policy. Have you any suggestions about the blocking policy, admin configuration parameters etc. @pmaier1 @PVince81 @RavenousCtulhu?