From 2bfcec9620814a6f3d0163a174d7ba90efef369d Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sat, 30 Jan 2010 19:48:57 -0800
Subject: Prevent brute force login attacks by reducing login attempts to 1 per
 minute after there have been 5 consecutive failed login attempts.

Fix for ticket #589.
---
 modules/gallery/helpers/auth.php | 45 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

(limited to 'modules/gallery/helpers/auth.php')

diff --git a/modules/gallery/helpers/auth.php b/modules/gallery/helpers/auth.php
index f7d4f7e8..e112f127 100644
--- a/modules/gallery/helpers/auth.php
+++ b/modules/gallery/helpers/auth.php
@@ -22,7 +22,10 @@ class auth_Core {
     $form = new Forge($url, "", "post", array("id" => "g-login-form"));
     $form->set_attr('class', "g-narrow");
     $group = $form->group("login")->label(t("Login"));
-    $group->input("name")->label(t("Username"))->id("g-username")->class(null);
+    $group->input("name")->label(t("Username"))->id("g-username")->class(null)
+      ->callback("auth::validate_too_many_failed_logins")
+      ->error_messages(
+        "too_many_failed_logins", t("Too many failed login attempts.  Try again later"));
     $group->password("password")->label(t("Password"))->id("g-password")->class(null);
     $group->inputs["name"]->error_messages("invalid_login", t("Invalid name or password"));
     $group->submit("")->value(t("Login"));
@@ -55,4 +58,44 @@ class auth_Core {
                 array("url" => user_profile::url($user->id),
                       "user_name" => html::clean($user->name))));
   }
+
+  /**
+   * After there have been 5 failed login attempts, any failure leads to getting locked out for a
+   * minute.
+   */
+  static function validate_too_many_failed_logins($name_input) {
+    $failed_login = ORM::factory("failed_login")
+      ->where("name", "=", $name_input->value)
+      ->find();
+    if ($failed_login->loaded() &&
+        $failed_login->count > 5 &&
+        (time() - $failed_login->time < 60)) {
+      $name_input->add_error("too_many_failed_logins", 1);
+    }
+  }
+
+  /**
+   * Record a failed login for this user
+   */
+  static function record_failed_login($name) {
+    $failed_login = ORM::factory("failed_login")
+      ->where("name", "=", $name)
+      ->find();
+    if (!$failed_login->loaded()) {
+      $failed_login->name = $name;
+    }
+    $failed_login->time = time();
+    $failed_login->count++;
+    $failed_login->save();
+  }
+
+  /**
+   * Clear any failed logins for this user
+   */
+  static function record_successful_login($user) {
+    db::build()
+      ->delete("failed_logins")
+      ->where("name", "=", $user->name)
+      ->execute();
+  }
 }
\ No newline at end of file
-- 
cgit v1.2.3