SECURITY: do cookie auth rate limiting earlier

This commit is contained in:
Sam 2016-08-09 10:02:18 +10:00
parent 277e7383f3
commit 5cc8bb535b
2 changed files with 16 additions and 2 deletions

View file

@ -38,14 +38,18 @@ class Auth::DefaultCurrentUserProvider
current_user = nil
if auth_token && auth_token.length == 32
current_user = User.where(auth_token: auth_token)
limiter = RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN ,60)
if limiter.can_perform?
current_user = User.where(auth_token: auth_token)
.where('auth_token_updated_at IS NULL OR auth_token_updated_at > ?',
SiteSetting.maximum_session_age.hours.ago)
.first
end
unless current_user
begin
RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN ,60).performed!
limiter.performed!
rescue RateLimiter::LimitExceeded
raise Discourse::InvalidAccess
end

View file

@ -86,6 +86,10 @@ describe Auth::DefaultCurrentUserProvider do
end
it "can only try 10 bad cookies a minute" do
user = Fabricate(:user)
provider('/').log_on_user(user, {}, {})
RateLimiter.stubs(:disabled?).returns(false)
RateLimiter.new(nil, "cookie_auth_10.0.0.1", 10, 60).clear!
@ -97,10 +101,16 @@ describe Auth::DefaultCurrentUserProvider do
10.times do
provider('/', env).current_user
end
expect {
provider('/', env).current_user
}.to raise_error(Discourse::InvalidAccess)
expect {
env["HTTP_COOKIE"] = "_t=#{user.auth_token}"
provider("/", env).current_user
}.to raise_error(Discourse::InvalidAccess)
env["REMOTE_ADDR"] = "10.0.0.2"
provider('/', env).current_user
end