summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndy Staudacher <andy.st@gmail.com>2010-01-30 21:42:57 -0800
committerAndy Staudacher <andy.st@gmail.com>2010-01-30 21:42:57 -0800
commit1470b99d1facd07fcb46c0c4e46896d339f5a75a (patch)
tree2e5198c80e014b94c5b5156cc8d7ee5b9e7480c6
parentcb92e58d40bfa866c07b10fe189bd653074a9917 (diff)
Protect REST login controller from brute force attacks too.
And make the REST auth token less predictable by using a better source for randomness.
Diffstat
-rw-r--r--modules/gallery/helpers/auth.php9
-rw-r--r--modules/rest/controllers/rest.php7
-rw-r--r--modules/rest/helpers/rest.php2
3 files changed, 15 insertions, 3 deletions
diff --git a/modules/gallery/helpers/auth.php b/modules/gallery/helpers/auth.php
index e112f127..8c7a0b6d 100644
--- a/modules/gallery/helpers/auth.php
+++ b/modules/gallery/helpers/auth.php
@@ -64,14 +64,19 @@ class auth_Core {
* minute.
*/
static function validate_too_many_failed_logins($name_input) {
+ $name = is_object($name_input) ? $name_input->value : $name_input;
$failed_login = ORM::factory("failed_login")
- ->where("name", "=", $name_input->value)
+ ->where("name", "=", $name)
->find();
if ($failed_login->loaded() &&
$failed_login->count > 5 &&
(time() - $failed_login->time < 60)) {
- $name_input->add_error("too_many_failed_logins", 1);
+ if (is_object($name_input)) {
+ $name_input->add_error("too_many_failed_logins", 1);
+ }
+ return false;
}
+ return true;
}
/**
diff --git a/modules/rest/controllers/rest.php b/modules/rest/controllers/rest.php
index ba996b84..64a548d0 100644
--- a/modules/rest/controllers/rest.php
+++ b/modules/rest/controllers/rest.php
@@ -22,11 +22,18 @@ class Rest_Controller extends Controller {
$username = Input::instance()->post("user");
$password = Input::instance()->post("password");
+ if (empty($username) || !auth::validate_too_many_failed_logins($username)) {
+ throw new Rest_Exception("Forbidden", 403);
+ }
+
$user = identity::lookup_user_by_name($username);
if (empty($user) || !identity::is_correct_password($user, $password)) {
+ module::event("user_login_failed", $username);
throw new Rest_Exception("Forbidden", 403);
}
+ auth::login($user);
+
$key = rest::get_access_token($user->id);
rest::reply($key->access_key);
}
diff --git a/modules/rest/helpers/rest.php b/modules/rest/helpers/rest.php
index 3883794a..b3f80a55 100644
--- a/modules/rest/helpers/rest.php
+++ b/modules/rest/helpers/rest.php
@@ -64,7 +64,7 @@ class rest_Core {
if (!$key->loaded()) {
$key->user_id = $user_id;
- $key->access_key = md5(rand());
+ $key->access_key = md5(md5(uniqid(mt_rand(), true) . access::private_key()));
$key->save();
}
return $key;
generated by cgit v1.2.3 (git 2.46.0) at 2025-10-13 09:47:48 +0000