From 6292a73717d88bca6e54ab57e522cf9dafd0ff8a Mon Sep 17 00:00:00 2001
From: Robbie Antenesse <dev@alamantus.com>
Date: Wed, 29 May 2019 16:35:51 -0600
Subject: [PATCH] Add failed login lockout

---
 src/php/api/config.php.changeme |  5 ++++-
 src/php/api/index.php           | 36 ++++++++++++++++++++++++++++++++-
 2 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/src/php/api/config.php.changeme b/src/php/api/config.php.changeme
index b2aa988..99d1109 100644
--- a/src/php/api/config.php.changeme
+++ b/src/php/api/config.php.changeme
@@ -1,4 +1,7 @@
 <?php
 
 define('DB_USER', 'lexiconga_db_username');
-define('DB_PASSWORD', 'user_password');
\ No newline at end of file
+define('DB_PASSWORD', 'user_password');
+
+define('LOGIN_FAILURES_ALLOWED', 10);
+define('LOGIN_FAILURES_LOCKOUT_MINUTES', 60);
\ No newline at end of file
diff --git a/src/php/api/index.php b/src/php/api/index.php
index 613be9a..fdb76be 100644
--- a/src/php/api/index.php
+++ b/src/php/api/index.php
@@ -39,6 +39,26 @@ switch ($action) {
     ), 400);
   }
   case 'login': {
+    session_start();
+    if (isset($_SESSION['unlock'])) {
+      if (time() < $_SESSION['unlock']) {
+        $seconds_left = ($_SESSION['unlock'] - time());
+        $minutes_left = floor($seconds_left / 60);
+        $seconds_left = $seconds_left % 60;
+        return Response::json(array(
+          'data' => 'Too many failed login attempts. You must wait another '
+            . ($minutes_left > 0 ? $minutes_left . ' minutes ' : '')
+            . ($minutes_left > 0 && $seconds_left > 0 ? 'and ' : '')
+            . ($seconds_left > 0 ? $seconds_left . ' seconds ' : '')
+            . 'until you can log in again.',
+          'error' => true,
+        ), 403);
+      } else {
+        unset($_SESSION['failures']);
+        unset($_SESSION['unlock']);
+      }
+    }
+
     if (isset($request['email']) && isset($request['password'])) {
       $user = new User();
       $user_data = $user->logIn($request['email'], $request['password']);
@@ -48,8 +68,22 @@ switch ($action) {
           'error' => false,
         ), 200);
       }
+
+      if (!isset($_SESSION['failures'])) {
+        $_SESSION['failures'] = 0;
+      }
+      $_SESSION['failures']++;
+
+      if ($_SESSION['failures'] >= LOGIN_FAILURES_ALLOWED) {
+        $_SESSION['unlock'] = time() + (LOGIN_FAILURES_LOCKOUT_MINUTES * 60);
+        return Response::json(array(
+          'data' => 'Too many failed login attempts. You must wait ' . LOGIN_FAILURES_LOCKOUT_MINUTES . ' minutes until you can log in again.',
+          'error' => true,
+        ), 403);
+      }
+
       return Response::json(array(
-        'data' => 'Could not log in: incorrect data',
+        'data' => 'Incorrect email or password.<br>After ' . (LOGIN_FAILURES_ALLOWED - $_SESSION['failures']) . ' more failures, you will be locked out for ' . LOGIN_FAILURES_LOCKOUT_MINUTES . ' minutes.',
         'error' => true,
       ), 401);
     }