From: Tim Düsterhus Date: Tue, 10 Nov 2020 09:46:35 +0000 (+0100) Subject: Add flood control for multi-factor authentication X-Git-Tag: 5.4.0_Alpha_1~555^2~53^2~10 X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=d4c705b31315d610e72013316e18b336ffd6bdbd;p=GitHub%2FWoltLab%2FWCF.git Add flood control for multi-factor authentication --- diff --git a/com.woltlab.wcf/objectType.xml b/com.woltlab.wcf/objectType.xml index 554f04e1df..c080b52037 100644 --- a/com.woltlab.wcf/objectType.xml +++ b/com.woltlab.wcf/objectType.xml @@ -1728,6 +1728,10 @@ 1 wcf\system\user\multifactor\BackupMultifactorMethod + + com.woltlab.wcf.multifactor.backup + com.woltlab.wcf.floodControl + com.woltlab.wcf.multifactor.totp com.woltlab.wcf.multifactor @@ -1735,6 +1739,10 @@ 10 wcf\system\user\multifactor\TotpMultifactorMethod + + com.woltlab.wcf.multifactor.totp + com.woltlab.wcf.floodControl + diff --git a/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php b/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php index 91116c5ead..4a70764c8b 100644 --- a/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php +++ b/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php @@ -1,5 +1,6 @@ algorithm = new Bcrypt(); } @@ -212,7 +215,18 @@ class BackupMultifactorMethod implements IMultifactorMethod { ->label('wcf.user.security.multifactor.backup.code') ->autoFocus() ->required() - ->addValidator(new FormFieldValidator('code', function (TextFormField $field) use ($codes) { + ->addValidator(new FormFieldValidator('code', function (TextFormField $field) use ($codes, $setupId) { + FloodControl::getInstance()->registerUserContent('com.woltlab.wcf.multifactor.backup', $setupId); + $attempts = FloodControl::getInstance()->countUserContent('com.woltlab.wcf.multifactor.backup', $setupId, new \DateInterval('PT1H')); + if ($attempts['count'] > self::USER_ATTEMPTS_PER_HOUR) { + $field->addValidationError(new FormFieldValidationError( + 'flood', + 'wcf.user.security.multifactor.backup.error.flood', + $attempts + )); + return; + } + $userCode = \preg_replace('/\s+/', '', $field->getValue()); if ($this->findValidCode($userCode, $codes) === null) { diff --git a/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php b/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php index dffca00603..c21156602e 100644 --- a/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php +++ b/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php @@ -1,6 +1,7 @@ label('wcf.user.security.multifactor.totp.code') ->autoFocus() ->required() - ->addValidator(new FormFieldValidator('code', function (CodeFormField $field) use ($devices) { + ->addValidator(new FormFieldValidator('code', function (CodeFormField $field) use ($devices, $setupId) { + FloodControl::getInstance()->registerUserContent('com.woltlab.wcf.multifactor.backup', $setupId); + $attempts = FloodControl::getInstance()->countUserContent('com.woltlab.wcf.multifactor.backup', $setupId, new \DateInterval('PT10M')); + if ($attempts['count'] > self::USER_ATTEMPTS_PER_TEN_MINUTES) { + $field->addValidationError(new FormFieldValidationError( + 'flood', + 'wcf.user.security.multifactor.totp.error.flood', + $attempts + )); + return; + } + /** @var IFormField $deviceField */ $deviceField = $field->getDocument()->getNodeById('device'); diff --git a/wcfsetup/install/lang/de.xml b/wcfsetup/install/lang/de.xml index b16802f0be..e7235e1c9f 100644 --- a/wcfsetup/install/lang/de.xml +++ b/wcfsetup/install/lang/de.xml @@ -4857,6 +4857,8 @@ Die E-Mail-Adresse des neuen Benutzers lautet: {@$user->email} + + diff --git a/wcfsetup/install/lang/en.xml b/wcfsetup/install/lang/en.xml index 4eee12d387..42135f5dd7 100644 --- a/wcfsetup/install/lang/en.xml +++ b/wcfsetup/install/lang/en.xml @@ -4854,6 +4854,8 @@ Open the link below to access the user profile: + +