add login rate limiting, fixes #2

Author: ylebre

init.php

@@ -40,6 +40,11 @@ function initDatabase() {
 			password TEXT NOT NULL,
 			data TEXT
 		    )',
+		    'CREATE TABLE IF NOT EXISTS ipAttempts (
+			ip VARCHAR(255) NOT NULL PRIMARY KEY,
+			type VARCHAR(255) NOT NULL,
+			expires NOT NULL
+		    )',
 		];
 
 		try {

lib/IpAttempts.php

@@ -0,0 +1,54 @@
+<?php
+	namespace Pdsinterop\PhpSolid;
+	
+	class IpAttempts {
+		private static $pdo;
+		private static function connect() {
+			if (!isset(self::$pdo)) {
+				self::$pdo = new \PDO("sqlite:" . DBPATH);
+			}
+		}
+
+		public static function logFailedAttempt($ip, $type, $expires) {
+			self::connect();
+			
+			$query = self::$pdo->prepare(
+				'INSERT INTO ipAttempts VALUES(:ip, :type, :expires)'
+			);
+			$query->execute([
+				':ip' => $ip,
+				':type' => $type,
+				':expires' => $expires->getTimestamp()
+			]);
+		}
+
+		public static function getAttemptsCount($ip, $type) {
+			self::connect();
+
+			$now = new \DateTime();
+			$query = self::$pdo->prepare(
+				'SELECT count(ip) as count FROM ipAttempts WHERE ip=:ip AND type=:type AND expires > :now'
+			);
+			$query->execute([
+				':ip' => $ip,
+				':type' => $type,
+				':now' => $now->getTimestamp()
+			]);
+			$result = $query->fetch();
+			if (isset($result['count'])) {
+				return $result['count'];
+			}
+			return 0;
+		}
+		public static function cleanupAttempts() {
+			self::connect();
+			
+			$now = new \DateTime();
+			$query = self::$pdo->prepare(
+				'DELETE FROM ipAttempts WHERE expires < :now'
+			);
+			$query->execute([
+				':now' => $now->getTimestamp()
+			]);
+		}
+	}

www/idp/index.php

@@ -9,6 +9,7 @@
 	use Pdsinterop\PhpSolid\ClientRegistration;
 	use Pdsinterop\PhpSolid\User;
 	use Pdsinterop\PhpSolid\Mailer;
+	use Pdsinterop\PhpSolid\IpAttempts;
 
 	$request = explode("?", $_SERVER['REQUEST_URI'], 2)[0];
 	$method = $_SERVER['REQUEST_METHOD'];
@@ -284,13 +285,19 @@
 				break;
 				case "/login/password":
 				case "/login/password/":
+					$failureCount = IpAttempts::getAttemptsCount($_SERVER['REMOTE_ADDR'], "login");
+					if ($failureCount > 5) {
+						header("HTTP/1.1 400 Bad Request");
+						exit();
+					}
 					if (User::checkPassword($_POST['username'], $_POST['password'])) {
 						if (!isset($_POST['redirect_uri']) || $_POST['redirect_uri'] === '') {
 							header("Location: /dashboard/");
 							exit();
 						}
 						header("Location: " . urldecode($_POST['redirect_uri'])); // FIXME: Do we need to harden this?
 					} else {
+						IpAttempts::logFailedAttempt($_SERVER['REMOTE_ADDR'], "login", time() + 3600);
 						header("Location: /login/");
 					}
 				break;
@@ -405,6 +412,7 @@
 			if (!file_exists(CLEANUP_FILE) || (filemtime(CLEANUP_FILE) < time())) {
 				touch(CLEANUP_FILE, time() + 3600);
 				User::cleanupTokens();
+				IpAttempts::cleanupAttempts();
 			}
 		break;
 		case "OPTIONS":