mirror of
https://github.com/discourse/discourse.git
synced 2024-12-15 18:23:39 +08:00
SECURITY: do cookie auth rate limiting earlier
This commit is contained in:
parent
1acef41e51
commit
0b5c3f5a03
|
@ -38,14 +38,18 @@ class Auth::DefaultCurrentUserProvider
|
||||||
current_user = nil
|
current_user = nil
|
||||||
|
|
||||||
if auth_token && auth_token.length == 32
|
if auth_token && auth_token.length == 32
|
||||||
current_user = User.where(auth_token: auth_token)
|
limiter = RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN ,60)
|
||||||
|
|
||||||
|
if limiter.can_perform?
|
||||||
|
current_user = User.where(auth_token: auth_token)
|
||||||
.where('auth_token_updated_at IS NULL OR auth_token_updated_at > ?',
|
.where('auth_token_updated_at IS NULL OR auth_token_updated_at > ?',
|
||||||
SiteSetting.maximum_session_age.hours.ago)
|
SiteSetting.maximum_session_age.hours.ago)
|
||||||
.first
|
.first
|
||||||
|
end
|
||||||
|
|
||||||
unless current_user
|
unless current_user
|
||||||
begin
|
begin
|
||||||
RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN ,60).performed!
|
limiter.performed!
|
||||||
rescue RateLimiter::LimitExceeded
|
rescue RateLimiter::LimitExceeded
|
||||||
raise Discourse::InvalidAccess
|
raise Discourse::InvalidAccess
|
||||||
end
|
end
|
||||||
|
|
|
@ -86,6 +86,10 @@ describe Auth::DefaultCurrentUserProvider do
|
||||||
end
|
end
|
||||||
|
|
||||||
it "can only try 10 bad cookies a minute" do
|
it "can only try 10 bad cookies a minute" do
|
||||||
|
|
||||||
|
user = Fabricate(:user)
|
||||||
|
provider('/').log_on_user(user, {}, {})
|
||||||
|
|
||||||
RateLimiter.stubs(:disabled?).returns(false)
|
RateLimiter.stubs(:disabled?).returns(false)
|
||||||
|
|
||||||
RateLimiter.new(nil, "cookie_auth_10.0.0.1", 10, 60).clear!
|
RateLimiter.new(nil, "cookie_auth_10.0.0.1", 10, 60).clear!
|
||||||
|
@ -97,10 +101,16 @@ describe Auth::DefaultCurrentUserProvider do
|
||||||
10.times do
|
10.times do
|
||||||
provider('/', env).current_user
|
provider('/', env).current_user
|
||||||
end
|
end
|
||||||
|
|
||||||
expect {
|
expect {
|
||||||
provider('/', env).current_user
|
provider('/', env).current_user
|
||||||
}.to raise_error(Discourse::InvalidAccess)
|
}.to raise_error(Discourse::InvalidAccess)
|
||||||
|
|
||||||
|
expect {
|
||||||
|
env["HTTP_COOKIE"] = "_t=#{user.auth_token}"
|
||||||
|
provider("/", env).current_user
|
||||||
|
}.to raise_error(Discourse::InvalidAccess)
|
||||||
|
|
||||||
env["REMOTE_ADDR"] = "10.0.0.2"
|
env["REMOTE_ADDR"] = "10.0.0.2"
|
||||||
provider('/', env).current_user
|
provider('/', env).current_user
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue
Block a user