daenamnu/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/all-in-one.git synced 2026-05-29 23:10:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: address second round of code-review comments

Browse Source 
Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/f1016d36-0771-46e0-992c-95ce22594414

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-05-04 10:01:09 +00:00
committed by GitHub
parent 8356d0dadc
commit 6a9e55a8de
3 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
php/src/Controller/LoginController.php
View File

@@ -40,12 +40,18 @@ readonly class LoginController {
$response->getBody()->write("Unable to determine client IP. Login refused.");
return $response->withStatus(403);
}
$rateLimitKey = 'login_attempts_' . hash('sha256', $ip);
// Use HMAC to avoid leaking which IPs are being tracked via predictable cache-key names.
$hmacKey = (string)(apcu_fetch('login_rate_limit_hmac_key') ?: '');
if ($hmacKey === '') {
$hmacKey = bin2hex(random_bytes(16));
apcu_add('login_rate_limit_hmac_key', $hmacKey);
}
$rateLimitKey = 'login_attempts_' . hash_hmac('sha256', $ip, $hmacKey);
$attempts = (int)(apcu_fetch($rateLimitKey) ?: 0);
if ($attempts >= self::MAX_FAILED_ATTEMPTS) {
// Keep a delay even when blocked so the 429 itself isn't a timing oracle.
sleep(5);
// Return 429 immediately; the rate limit itself is sufficient protection.
$response->getBody()->write("Too many failed login attempts. Please try again later.");
return $response->withStatus(429);
}