mirror of https://github.com/nextcloud/server
feat(security): Add a "testing mode" for bruteforce protection that doesn't sleep
Signed-off-by: Joas Schilling <coding@schilljs.com>
This commit is contained in:
parent
a95800c647
commit
abc98d343c
|
@ -352,6 +352,19 @@ $CONFIG = [
|
|||
*/
|
||||
'auth.bruteforce.protection.enabled' => true,
|
||||
|
||||
/**
|
||||
* Whether the bruteforce protection shipped with Nextcloud should be set to testing mode.
|
||||
*
|
||||
* In testing mode bruteforce attempts are still recorded, but the requests do
|
||||
* not sleep/wait for the specified time. They will still abort with
|
||||
* "429 Too Many Requests" when the maximum delay is reached.
|
||||
* Enabling this is discouraged for security reasons
|
||||
* and should only be done for debugging and on CI when running tests.
|
||||
*
|
||||
* Defaults to ``false``
|
||||
*/
|
||||
'auth.bruteforce.protection.testing' => false,
|
||||
|
||||
/**
|
||||
* Whether the rate limit protection shipped with Nextcloud should be enabled or not.
|
||||
*
|
||||
|
|
|
@ -280,7 +280,9 @@ class Throttler implements IThrottler {
|
|||
*/
|
||||
public function sleepDelay(string $ip, string $action = ''): int {
|
||||
$delay = $this->getDelay($ip, $action);
|
||||
usleep($delay * 1000);
|
||||
if (!$this->config->getSystemValueBool('auth.bruteforce.protection.testing')) {
|
||||
usleep($delay * 1000);
|
||||
}
|
||||
return $delay;
|
||||
}
|
||||
|
||||
|
@ -304,7 +306,9 @@ class Throttler implements IThrottler {
|
|||
'delay' => $delay,
|
||||
]);
|
||||
}
|
||||
usleep($delay * 1000);
|
||||
if (!$this->config->getSystemValueBool('auth.bruteforce.protection.testing')) {
|
||||
usleep($delay * 1000);
|
||||
}
|
||||
return $delay;
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue