From bc968d18e686d694d7bc80aa072f3e3eb364a821 Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Tue, 7 Apr 2026 14:51:32 +0200
Subject: [PATCH 1/2] Punish failed login attempts with a delay

This is a very simple means against bots, until we find the time to discuss
and implement something better.

Signed-off-by: Pablo Zmdl <pablo@nextcloud.com>
---
 php/src/Controller/LoginController.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/php/src/Controller/LoginController.php b/php/src/Controller/LoginController.php
index a90bde26..b3c74b30 100644
--- a/php/src/Controller/LoginController.php
+++ b/php/src/Controller/LoginController.php
@@ -28,6 +28,9 @@ readonly class LoginController {
             return $response->withHeader('Location', '.')->withStatus(201);
         }
 
+        // Punish failed auth attempts with a delay, as a very simple means against bots.
+        sleep(5);
+
         $response->getBody()->write("The password is incorrect.");
         return $response->withHeader('Location', '.')->withStatus(422);
     }

From b67b3bbe1549f847e9830ae41ab1d9629300083c Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Tue, 7 Apr 2026 15:08:01 +0200
Subject: [PATCH 2/2] Also punish failed logins via GET and URL-token

Signed-off-by: Pablo Zmdl <pablo@nextcloud.com>
---
 php/src/Controller/LoginController.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/php/src/Controller/LoginController.php b/php/src/Controller/LoginController.php
index b3c74b30..d37a2210 100644
--- a/php/src/Controller/LoginController.php
+++ b/php/src/Controller/LoginController.php
@@ -42,6 +42,9 @@ readonly class LoginController {
             return $response->withHeader('Location', '../..')->withStatus(302);
         }
 
+        // Punish failed auth attempts with a delay, as a very simple means against bots.
+        sleep(5);
+
         return $response->withHeader('Location', '../..')->withStatus(302);
     }