Added rate limiting for login and forgot password

2026-05-05 17:26:58 +02:00 · 2017-08-28 14:24:48 -06:00
parent 0c11df8f67
commit 87d4c28b4a
3 changed files with 24 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@

 1. [](#new)
    * Added 2-Factor Authentication support to the admin!!
+    * Added rate-limiting for "failed login attempts" and "forgot password"
 1. [](#improved)
    * Revamped the toggle switch CSS so it's more flexible and works better [#1198](https://github.com/getgrav/grav-plugin-admin/issues/1198)
    * Improved toggle/button alignment on Page edit view
--- a/classes/admin.php
+++ b/classes/admin.php
@@ -350,6 +350,17 @@ class Admin
     */
    public function authenticate($data, $post)
    {
+        $count = $this->grav['config']->get('plugins.login.max_login_count', 5);
+        $interval = $this->grav['config']->get('plugins.login.max_login_interval', 10);
+        $login = $this->grav['login'];
+
+        if ($login->isUserRateLimited($this->user, 'login_attempts', $count, $interval)) {
+            $this->setMessage($this->translate(['PLUGIN_LOGIN.TOO_MANY_LOGIN_ATTEMPTS', $interval]), 'error');
+            $this->grav->redirect($post['redirect']);
+            return true;
+        }
+
+
        if (!$this->user->authenticated && isset($data['username']) && isset($data['password'])) {
            // Perform RegEX check on submitted username to check for emails
            if (filter_var($data['username'], FILTER_VALIDATE_EMAIL)) {
@@ -385,12 +396,9 @@ class Admin
        }

        $user->authenticated = true;
-
+        $this->login->resetRateLimits($user,'login_attempts');

        if ($user->authorize('admin.login')) {
-
-
-
            $this->user = $this->session->user = $user;

            /** @var Grav $grav */
--- a/classes/admincontroller.php
+++ b/classes/admincontroller.php
@@ -1152,6 +1152,7 @@ class AdminController extends AdminBaseController
        $param_sep = $this->grav['config']->get('system.param_sep', ':');
        $post      = $this->post;
        $data      = $this->data;
+        $login     = $this->grav['login'];

        $username = isset($data['username']) ? strip_tags(strtolower($data['username'])) : '';
        $user     = !empty($username) ? User::load($username) : null;
@@ -1179,6 +1180,16 @@ class AdminController extends AdminBaseController
            return true;
        }

+        $count = $this->grav['config']->get('plugins.login.max_pw_resets_count', 0);
+        $interval =$this->grav['config']->get('plugins.login.max_pw_resets_interval', 2);
+
+        if ($login->isUserRateLimited($user, 'pw_resets', $count, $interval)) {
+            $this->admin->setMessage($this->admin->translate(['PLUGIN_LOGIN.FORGOT_CANNOT_RESET_IT_IS_BLOCKED', $user->email, $interval]), 'error');
+            $this->setRedirect($post['redirect']);
+
+            return true;
+        }
+
        $token  = md5(uniqid(mt_rand(), true));
        $expire = time() + 604800; // next week