diff options
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/gallery/helpers/auth.php | 9 | ||||
| -rw-r--r-- | modules/rest/controllers/rest.php | 7 | ||||
| -rw-r--r-- | modules/rest/helpers/rest.php | 2 |
3 files changed, 15 insertions, 3 deletions
diff --git a/modules/gallery/helpers/auth.php b/modules/gallery/helpers/auth.php index e112f127..8c7a0b6d 100644 --- a/modules/gallery/helpers/auth.php +++ b/modules/gallery/helpers/auth.php @@ -64,14 +64,19 @@ class auth_Core { * minute. */ static function validate_too_many_failed_logins($name_input) { + $name = is_object($name_input) ? $name_input->value : $name_input; $failed_login = ORM::factory("failed_login") - ->where("name", "=", $name_input->value) + ->where("name", "=", $name) ->find(); if ($failed_login->loaded() && $failed_login->count > 5 && (time() - $failed_login->time < 60)) { - $name_input->add_error("too_many_failed_logins", 1); + if (is_object($name_input)) { + $name_input->add_error("too_many_failed_logins", 1); + } + return false; } + return true; } /** diff --git a/modules/rest/controllers/rest.php b/modules/rest/controllers/rest.php index ba996b84..64a548d0 100644 --- a/modules/rest/controllers/rest.php +++ b/modules/rest/controllers/rest.php @@ -22,11 +22,18 @@ class Rest_Controller extends Controller { $username = Input::instance()->post("user"); $password = Input::instance()->post("password"); + if (empty($username) || !auth::validate_too_many_failed_logins($username)) { + throw new Rest_Exception("Forbidden", 403); + } + $user = identity::lookup_user_by_name($username); if (empty($user) || !identity::is_correct_password($user, $password)) { + module::event("user_login_failed", $username); throw new Rest_Exception("Forbidden", 403); } + auth::login($user); + $key = rest::get_access_token($user->id); rest::reply($key->access_key); } diff --git a/modules/rest/helpers/rest.php b/modules/rest/helpers/rest.php index 3883794a..b3f80a55 100644 --- a/modules/rest/helpers/rest.php +++ b/modules/rest/helpers/rest.php @@ -64,7 +64,7 @@ class rest_Core { if (!$key->loaded()) { $key->user_id = $user_id; - $key->access_key = md5(rand()); + $key->access_key = md5(md5(uniqid(mt_rand(), true) . access::private_key())); $key->save(); } return $key; |