mirror of
https://github.com/discourse/discourse.git
synced 2024-12-15 04:23:49 +08:00
SECURITY: do cookie auth rate limiting earlier
This commit is contained in:
parent
1acef41e51
commit
0b5c3f5a03
|
@ -38,14 +38,18 @@ class Auth::DefaultCurrentUserProvider
|
|||
current_user = nil
|
||||
|
||||
if auth_token && auth_token.length == 32
|
||||
limiter = RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN ,60)
|
||||
|
||||
if limiter.can_perform?
|
||||
current_user = User.where(auth_token: auth_token)
|
||||
.where('auth_token_updated_at IS NULL OR auth_token_updated_at > ?',
|
||||
SiteSetting.maximum_session_age.hours.ago)
|
||||
.first
|
||||
end
|
||||
|
||||
unless current_user
|
||||
begin
|
||||
RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN ,60).performed!
|
||||
limiter.performed!
|
||||
rescue RateLimiter::LimitExceeded
|
||||
raise Discourse::InvalidAccess
|
||||
end
|
||||
|
|
|
@ -86,6 +86,10 @@ describe Auth::DefaultCurrentUserProvider do
|
|||
end
|
||||
|
||||
it "can only try 10 bad cookies a minute" do
|
||||
|
||||
user = Fabricate(:user)
|
||||
provider('/').log_on_user(user, {}, {})
|
||||
|
||||
RateLimiter.stubs(:disabled?).returns(false)
|
||||
|
||||
RateLimiter.new(nil, "cookie_auth_10.0.0.1", 10, 60).clear!
|
||||
|
@ -97,10 +101,16 @@ describe Auth::DefaultCurrentUserProvider do
|
|||
10.times do
|
||||
provider('/', env).current_user
|
||||
end
|
||||
|
||||
expect {
|
||||
provider('/', env).current_user
|
||||
}.to raise_error(Discourse::InvalidAccess)
|
||||
|
||||
expect {
|
||||
env["HTTP_COOKIE"] = "_t=#{user.auth_token}"
|
||||
provider("/", env).current_user
|
||||
}.to raise_error(Discourse::InvalidAccess)
|
||||
|
||||
env["REMOTE_ADDR"] = "10.0.0.2"
|
||||
provider('/', env).current_user
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue
Block a user