From d4c705b31315d610e72013316e18b336ffd6bdbd Mon Sep 17 00:00:00 2001 From: =?utf8?q?Tim=20D=C3=BCsterhus?= Date: Tue, 10 Nov 2020 10:46:35 +0100 Subject: [PATCH] Add flood control for multi-factor authentication --- com.woltlab.wcf/objectType.xml | 8 ++++++++ .../BackupMultifactorMethod.class.php | 16 +++++++++++++++- .../multifactor/TotpMultifactorMethod.class.php | 16 +++++++++++++++- wcfsetup/install/lang/de.xml | 2 ++ wcfsetup/install/lang/en.xml | 2 ++ 5 files changed, 42 insertions(+), 2 deletions(-) diff --git a/com.woltlab.wcf/objectType.xml b/com.woltlab.wcf/objectType.xml index 554f04e1df..c080b52037 100644 --- a/com.woltlab.wcf/objectType.xml +++ b/com.woltlab.wcf/objectType.xml @@ -1728,6 +1728,10 @@ 1 wcf\system\user\multifactor\BackupMultifactorMethod + + com.woltlab.wcf.multifactor.backup + com.woltlab.wcf.floodControl + com.woltlab.wcf.multifactor.totp com.woltlab.wcf.multifactor @@ -1735,6 +1739,10 @@ 10 wcf\system\user\multifactor\TotpMultifactorMethod + + com.woltlab.wcf.multifactor.totp + com.woltlab.wcf.floodControl + diff --git a/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php b/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php index 91116c5ead..4a70764c8b 100644 --- a/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php +++ b/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php @@ -1,5 +1,6 @@ algorithm = new Bcrypt(); } @@ -212,7 +215,18 @@ class BackupMultifactorMethod implements IMultifactorMethod { ->label('wcf.user.security.multifactor.backup.code') ->autoFocus() ->required() - ->addValidator(new FormFieldValidator('code', function (TextFormField $field) use ($codes) { + ->addValidator(new FormFieldValidator('code', function (TextFormField $field) use ($codes, $setupId) { + FloodControl::getInstance()->registerUserContent('com.woltlab.wcf.multifactor.backup', $setupId); + $attempts = FloodControl::getInstance()->countUserContent('com.woltlab.wcf.multifactor.backup', $setupId, new \DateInterval('PT1H')); + if ($attempts['count'] > self::USER_ATTEMPTS_PER_HOUR) { + $field->addValidationError(new FormFieldValidationError( + 'flood', + 'wcf.user.security.multifactor.backup.error.flood', + $attempts + )); + return; + } + $userCode = \preg_replace('/\s+/', '', $field->getValue()); if ($this->findValidCode($userCode, $codes) === null) { diff --git a/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php b/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php index dffca00603..c21156602e 100644 --- a/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php +++ b/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php @@ -1,6 +1,7 @@ label('wcf.user.security.multifactor.totp.code') ->autoFocus() ->required() - ->addValidator(new FormFieldValidator('code', function (CodeFormField $field) use ($devices) { + ->addValidator(new FormFieldValidator('code', function (CodeFormField $field) use ($devices, $setupId) { + FloodControl::getInstance()->registerUserContent('com.woltlab.wcf.multifactor.backup', $setupId); + $attempts = FloodControl::getInstance()->countUserContent('com.woltlab.wcf.multifactor.backup', $setupId, new \DateInterval('PT10M')); + if ($attempts['count'] > self::USER_ATTEMPTS_PER_TEN_MINUTES) { + $field->addValidationError(new FormFieldValidationError( + 'flood', + 'wcf.user.security.multifactor.totp.error.flood', + $attempts + )); + return; + } + /** @var IFormField $deviceField */ $deviceField = $field->getDocument()->getNodeById('device'); diff --git a/wcfsetup/install/lang/de.xml b/wcfsetup/install/lang/de.xml index b16802f0be..e7235e1c9f 100644 --- a/wcfsetup/install/lang/de.xml +++ b/wcfsetup/install/lang/de.xml @@ -4857,6 +4857,8 @@ Die E-Mail-Adresse des neuen Benutzers lautet: {@$user->email} + + diff --git a/wcfsetup/install/lang/en.xml b/wcfsetup/install/lang/en.xml index 4eee12d387..42135f5dd7 100644 --- a/wcfsetup/install/lang/en.xml +++ b/wcfsetup/install/lang/en.xml @@ -4854,6 +4854,8 @@ Open the link below to access the user profile: + + -- 2.20.1