From b67b3bbe1549f847e9830ae41ab1d9629300083c Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Tue, 7 Apr 2026 15:08:01 +0200
Subject: [PATCH] Also punish failed logins via GET and URL-token

Signed-off-by: Pablo Zmdl <pablo@nextcloud.com>
---
 php/src/Controller/LoginController.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/php/src/Controller/LoginController.php b/php/src/Controller/LoginController.php
index b3c74b30..d37a2210 100644
--- a/php/src/Controller/LoginController.php
+++ b/php/src/Controller/LoginController.php
@@ -42,6 +42,9 @@ readonly class LoginController {
             return $response->withHeader('Location', '../..')->withStatus(302);
         }
 
+        // Punish failed auth attempts with a delay, as a very simple means against bots.
+        sleep(5);
+
         return $response->withHeader('Location', '../..')->withStatus(302);
     }