From dafecd9582385d200ca293be4eb761f92d4d82fa Mon Sep 17 00:00:00 2001 From: Robbie Antenesse Date: Wed, 29 May 2019 16:35:51 -0600 Subject: [PATCH] Add failed login lockout --- src/php/api/config.php.changeme | 5 ++++- src/php/api/index.php | 36 ++++++++++++++++++++++++++++++++- 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/src/php/api/config.php.changeme b/src/php/api/config.php.changeme index b2aa988..99d1109 100644 --- a/src/php/api/config.php.changeme +++ b/src/php/api/config.php.changeme @@ -1,4 +1,7 @@ 'Too many failed login attempts. You must wait another ' + . ($minutes_left > 0 ? $minutes_left . ' minutes ' : '') + . ($minutes_left > 0 && $seconds_left > 0 ? 'and ' : '') + . ($seconds_left > 0 ? $seconds_left . ' seconds ' : '') + . 'until you can log in again.', + 'error' => true, + ), 403); + } else { + unset($_SESSION['failures']); + unset($_SESSION['unlock']); + } + } + if (isset($request['email']) && isset($request['password'])) { $user = new User(); $user_data = $user->logIn($request['email'], $request['password']); @@ -48,8 +68,22 @@ switch ($action) { 'error' => false, ), 200); } + + if (!isset($_SESSION['failures'])) { + $_SESSION['failures'] = 0; + } + $_SESSION['failures']++; + + if ($_SESSION['failures'] >= LOGIN_FAILURES_ALLOWED) { + $_SESSION['unlock'] = time() + (LOGIN_FAILURES_LOCKOUT_MINUTES * 60); + return Response::json(array( + 'data' => 'Too many failed login attempts. You must wait ' . LOGIN_FAILURES_LOCKOUT_MINUTES . ' minutes until you can log in again.', + 'error' => true, + ), 403); + } + return Response::json(array( - 'data' => 'Could not log in: incorrect data', + 'data' => 'Incorrect email or password.
After ' . (LOGIN_FAILURES_ALLOWED - $_SESSION['failures']) . ' more failures, you will be locked out for ' . LOGIN_FAILURES_LOCKOUT_MINUTES . ' minutes.', 'error' => true, ), 401); }