feat(security): Add a "testing mode" for bruteforce protection that doesn't sleep

Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-08-14 18:59:50 +07:00 · 2023-08-14 18:59:50 +07:00 · abc98d343c
parent a95800c647
commit abc98d343c
2 changed files with 19 additions and 2 deletions
--- a/config/config.sample.php
+++ b/config/config.sample.php
@ -352,6 +352,19 @@ $CONFIG = [
 */
 'auth.bruteforce.protection.enabled' => true,

+/**
+ * Whether the bruteforce protection shipped with Nextcloud should be set to testing mode.
+ *
+ * In testing mode bruteforce attempts are still recorded, but the requests do
+ * not sleep/wait for the specified time. They will still abort with
+ * "429 Too Many Requests" when the maximum delay is reached.
+ * Enabling this is discouraged for security reasons
+ * and should only be done for debugging and on CI when running tests.
+ *
+ * Defaults to ``false``
+ */
+'auth.bruteforce.protection.testing' => false,
+
 /**
 * Whether the rate limit protection shipped with Nextcloud should be enabled or not.
 *
--- a/lib/private/Security/Bruteforce/Throttler.php
+++ b/lib/private/Security/Bruteforce/Throttler.php
@ -280,7 +280,9 @@ class Throttler implements IThrottler {
 	 */
 	public function sleepDelay(string $ip, string $action = ''): int {
 		$delay = $this->getDelay($ip, $action);
-		usleep($delay * 1000);
+		if (!$this->config->getSystemValueBool('auth.bruteforce.protection.testing')) {
+			usleep($delay * 1000);
+		}
 		return $delay;
 	}

@ -304,7 +306,9 @@ class Throttler implements IThrottler {
 				'delay' => $delay,
 			]);
 		}
-		usleep($delay * 1000);
+		if (!$this->config->getSystemValueBool('auth.bruteforce.protection.testing')) {
+			usleep($delay * 1000);
+		}
 		return $delay;
 	}
 }