MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

chg: [security] TOTP anti-bruteforce support

pull/9085/head
Christophe Vandeplas 2023-05-25 21:12:07 +02:00
parent 6311f7d3e6
commit afbb9fab95
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
app/Controller/UsersController.php
View File

@ -1764,6 +1764,11 @@ class UsersController extends AppController
$this->redirect('login'); $this->redirect('login');
} }
if ($this->request->is('post') && isset($this->request->data['User']['otp'])) { if ($this->request->is('post') && isset($this->request->data['User']['otp'])) {
$this->Bruteforce = ClassRegistry::init('Bruteforce');
if ($this->Bruteforce->isBlocklisted($user['email'])) {
$expire = Configure::check('SecureAuth.expire') ? Configure::read('SecureAuth.expire') : 300;
throw new ForbiddenException('You have reached the maximum number of login attempts. Please wait ' . $expire . ' seconds and try again.');
}
$secret = $user['totp']; $secret = $user['totp'];
$otp = \OTPHP\TOTP::create($secret); $otp = \OTPHP\TOTP::create($secret);
$otp_now = $otp->now(); $otp_now = $otp->now();
@ -1776,6 +1781,7 @@ class UsersController extends AppController
$this->Flash->error(__("The OTP is incorrect or has expired")); $this->Flash->error(__("The OTP is incorrect or has expired"));
$fieldsDescrStr = 'User (' . $user['id'] . '): ' . $user['email']. ' wrong TOTP token'; $fieldsDescrStr = 'User (' . $user['id'] . '): ' . $user['email']. ' wrong TOTP token';
$this->User->extralog($user, "login_fail", $fieldsDescrStr, ''); $this->User->extralog($user, "login_fail", $fieldsDescrStr, '');
$this->Bruteforce->insert($user['email']);
} }
} else { } else {
// GET Request, just show the form // GET Request, just show the form