Protect REST login controller from brute force attacks too.

And make the REST auth token less predictable by using a better source for randomness.
author: Andy Staudacher <andy.st@gmail.com> 2010-01-30 21:42:57 -0800
committer: Andy Staudacher <andy.st@gmail.com> 2010-01-30 21:42:57 -0800
commit: 1470b99d1facd07fcb46c0c4e46896d339f5a75a (patch)
tree: 2e5198c80e014b94c5b5156cc8d7ee5b9e7480c6 /modules/gallery/helpers/auth.php
parent: cb92e58d40bfa866c07b10fe189bd653074a9917 (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/modules/gallery/helpers/auth.php b/modules/gallery/helpers/auth.php
index e112f127..8c7a0b6d 100644
--- a/modules/gallery/helpers/auth.php
+++ b/modules/gallery/helpers/auth.php
@@ -64,14 +64,19 @@ class auth_Core {
    * minute.
    */
   static function validate_too_many_failed_logins($name_input) {
+    $name = is_object($name_input) ? $name_input->value : $name_input;
     $failed_login = ORM::factory("failed_login")
-      ->where("name", "=", $name_input->value)
+      ->where("name", "=", $name)
       ->find();
     if ($failed_login->loaded() &&
         $failed_login->count > 5 &&
         (time() - $failed_login->time < 60)) {
-      $name_input->add_error("too_many_failed_logins", 1);
+      if (is_object($name_input)) {
+        $name_input->add_error("too_many_failed_logins", 1);
+      }
+      return false;
     }
+    return true;
   }
 
   /**
author	Andy Staudacher <andy.st@gmail.com>	2010-01-30 21:42:57 -0800
committer	Andy Staudacher <andy.st@gmail.com>	2010-01-30 21:42:57 -0800
commit	1470b99d1facd07fcb46c0c4e46896d339f5a75a (patch)
tree	2e5198c80e014b94c5b5156cc8d7ee5b9e7480c6 /modules/gallery/helpers/auth.php
parent	cb92e58d40bfa866c07b10fe189bd653074a9917 (diff)