From d4c705b31315d610e72013316e18b336ffd6bdbd Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Tue, 10 Nov 2020 10:46:35 +0100
Subject: [PATCH] Add flood control for multi-factor authentication

---
 com.woltlab.wcf/objectType.xml                   |  8 ++++++++
 .../BackupMultifactorMethod.class.php            | 16 +++++++++++++++-
 .../multifactor/TotpMultifactorMethod.class.php  | 16 +++++++++++++++-
 wcfsetup/install/lang/de.xml                     |  2 ++
 wcfsetup/install/lang/en.xml                     |  2 ++
 5 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/com.woltlab.wcf/objectType.xml b/com.woltlab.wcf/objectType.xml
index 554f04e1df..c080b52037 100644
--- a/com.woltlab.wcf/objectType.xml
+++ b/com.woltlab.wcf/objectType.xml
@@ -1728,6 +1728,10 @@
 			<priority>1</priority>
 			<classname>wcf\system\user\multifactor\BackupMultifactorMethod</classname>
 		</type>
+		<type>
+			<name>com.woltlab.wcf.multifactor.backup</name>
+			<definitionname>com.woltlab.wcf.floodControl</definitionname>
+		</type>
 		<type>
 			<name>com.woltlab.wcf.multifactor.totp</name>
 			<definitionname>com.woltlab.wcf.multifactor</definitionname>
@@ -1735,6 +1739,10 @@
 			<priority>10</priority>
 			<classname>wcf\system\user\multifactor\TotpMultifactorMethod</classname>
 		</type>
+		<type>
+			<name>com.woltlab.wcf.multifactor.totp</name>
+			<definitionname>com.woltlab.wcf.floodControl</definitionname>
+		</type>
 		<!-- /multi factor -->
 		<!-- deprecated -->
 		<type>
diff --git a/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php b/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php
index 91116c5ead..4a70764c8b 100644
--- a/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php
+++ b/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php
@@ -1,5 +1,6 @@
 <?php
 namespace wcf\system\user\multifactor;
+use wcf\system\flood\FloodControl;
 use wcf\system\form\builder\container\FormContainer;
 use wcf\system\form\builder\field\ButtonFormField;
 use wcf\system\form\builder\field\TextFormField;
@@ -30,6 +31,8 @@ class BackupMultifactorMethod implements IMultifactorMethod {
 	private const CHUNKS = 4;
 	private const CHUNK_LENGTH = 5;
 	
+	private const USER_ATTEMPTS_PER_HOUR = 5;
+	
 	public function __construct() {
 		$this->algorithm = new Bcrypt();
 	}
@@ -212,7 +215,18 @@ class BackupMultifactorMethod implements IMultifactorMethod {
 				->label('wcf.user.security.multifactor.backup.code')
 				->autoFocus()
 				->required()
-				->addValidator(new FormFieldValidator('code', function (TextFormField $field) use ($codes) {
+				->addValidator(new FormFieldValidator('code', function (TextFormField $field) use ($codes, $setupId) {
+					FloodControl::getInstance()->registerUserContent('com.woltlab.wcf.multifactor.backup', $setupId);
+					$attempts = FloodControl::getInstance()->countUserContent('com.woltlab.wcf.multifactor.backup', $setupId, new \DateInterval('PT1H'));
+					if ($attempts['count'] > self::USER_ATTEMPTS_PER_HOUR) {
+						$field->addValidationError(new FormFieldValidationError(
+							'flood',
+							'wcf.user.security.multifactor.backup.error.flood',
+							$attempts
+						));
+						return;
+					}
+					
 					$userCode = \preg_replace('/\s+/', '', $field->getValue());
 					
 					if ($this->findValidCode($userCode, $codes) === null) {
diff --git a/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php b/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php
index dffca00603..c21156602e 100644
--- a/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php
+++ b/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php
@@ -1,6 +1,7 @@
 <?php
 namespace wcf\system\user\multifactor;
 use ParagonIE\ConstantTime\Hex;
+use wcf\system\flood\FloodControl;
 use wcf\system\form\builder\button\FormButton;
 use wcf\system\form\builder\container\FormContainer;
 use wcf\system\form\builder\field\ButtonFormField;
@@ -28,6 +29,8 @@ use wcf\system\WCF;
  * @since	5.4
  */
 class TotpMultifactorMethod implements IMultifactorMethod {
+	private const USER_ATTEMPTS_PER_TEN_MINUTES = 5;
+	
 	/**
 	 * Returns the number of devices the user set up.
 	 */
@@ -201,7 +204,18 @@ class TotpMultifactorMethod implements IMultifactorMethod {
 				->label('wcf.user.security.multifactor.totp.code')
 				->autoFocus()
 				->required()
-				->addValidator(new FormFieldValidator('code', function (CodeFormField $field) use ($devices) {
+				->addValidator(new FormFieldValidator('code', function (CodeFormField $field) use ($devices, $setupId) {
+					FloodControl::getInstance()->registerUserContent('com.woltlab.wcf.multifactor.backup', $setupId);
+					$attempts = FloodControl::getInstance()->countUserContent('com.woltlab.wcf.multifactor.backup', $setupId, new \DateInterval('PT10M'));
+					if ($attempts['count'] > self::USER_ATTEMPTS_PER_TEN_MINUTES) {
+						$field->addValidationError(new FormFieldValidationError(
+							'flood',
+							'wcf.user.security.multifactor.totp.error.flood',
+							$attempts
+						));
+						return;
+					}
+					
 					/** @var IFormField $deviceField */
 					$deviceField = $field->getDocument()->getNodeById('device');
 					
diff --git a/wcfsetup/install/lang/de.xml b/wcfsetup/install/lang/de.xml
index b16802f0be..e7235e1c9f 100644
--- a/wcfsetup/install/lang/de.xml
+++ b/wcfsetup/install/lang/de.xml
@@ -4857,6 +4857,8 @@ Die E-Mail-Adresse des neuen Benutzers lautet: {@$user->email}
 		<item name="wcf.user.security.multifactor.backup.generateCodes"><![CDATA[Codes generieren]]></item>
 		<item name="wcf.user.security.multifactor.totp.devices"><![CDATA[Eingerichtete GerÃ¤te]]></item>
 		<item name="wcf.user.security.multifactor.totp.deviceName.default"><![CDATA[{TIME_NOW|plainTime}]]></item>
+		<item name="wcf.user.security.multifactor.totp.error.flood"><![CDATA[Bitte {if LANGUAGE_USE_INFORMAL_VARIANT}versuche es{else}versuchen Sie es{/if} spÃ¤ter erneut.]]></item>
+		<item name="wcf.user.security.multifactor.backup.error.flood"><![CDATA[Bitte {if LANGUAGE_USE_INFORMAL_VARIANT}versuche es{else}versuchen Sie es{/if} spÃ¤ter erneut.]]></item>
 	</category>
 	<category name="wcf.user.trophy">
 		<item name="wcf.user.trophy.trophyPoints"><![CDATA[TrophÃ¤en]]></item>
diff --git a/wcfsetup/install/lang/en.xml b/wcfsetup/install/lang/en.xml
index 4eee12d387..42135f5dd7 100644
--- a/wcfsetup/install/lang/en.xml
+++ b/wcfsetup/install/lang/en.xml
@@ -4854,6 +4854,8 @@ Open the link below to access the user profile:
 		<item name="wcf.user.security.multifactor.backup.generateCodes"><![CDATA[Generate Codes]]></item>
 		<item name="wcf.user.security.multifactor.totp.devices"><![CDATA[Set Up Devices]]></item>
 		<item name="wcf.user.security.multifactor.totp.deviceName.default"><![CDATA[{TIME_NOW|plainTime}]]></item>
+		<item name="wcf.user.security.multifactor.totp.error.flood"><![CDATA[Please try again later.]]></item>
+		<item name="wcf.user.security.multifactor.backup.error.flood"><![CDATA[Please try again later.]]></item>
 	</category>
 	<category name="wcf.user.trophy">
 		<item name="wcf.user.trophy.trophyPoints"><![CDATA[Trophies]]></item>
-- 
2.20.1

