Add config for throttling login attempts into Backend (#4974)

2020-03-10 22:57:19 -04:00 · 2020-03-10 22:57:19 -04:00 · 6c391b5e82
parent 2f500ab034
commit 6c391b5e82
3 changed files with 54 additions and 0 deletions
--- a/config/auth.php
+++ b/config/auth.php
@ -0,0 +1,39 @@
+<?php
+
+return [
+
+    'throttle' => [
+        /*
+        |--------------------------------------------------------------------------
+        | Enable throttling of Backend authentication attempts
+        |--------------------------------------------------------------------------
+        |
+        | If set to true, users will be given a limited number of attempts to sign
+        | in to the Backend before being blocked for a specified number of minutes.
+        |
+         */
+        'enabled' => true,
+
+        /*
+        |--------------------------------------------------------------------------
+        | Failed Authentication Attempt Limit
+        |--------------------------------------------------------------------------
+        |
+        | Number of failed attemps allowed while trying to authenticate a user.
+        |
+         */
+        'attemptLimit' => 5,
+
+        /*
+        |--------------------------------------------------------------------------
+        | Suspension Time
+        |--------------------------------------------------------------------------
+        |
+        | The number of minutes to suspend further attempts on authentication once
+        | the attempt limit is reached.
+        |
+         */
+        'suspensionTime' => 15,
+    ],
+
+];
--- a/modules/backend/classes/AuthManager.php
+++ b/modules/backend/classes/AuthManager.php
@ -1,5 +1,6 @@
 <?php namespace Backend\Classes;

+use Config;
 use System\Classes\PluginManager;
 use October\Rain\Auth\Manager as RainAuthManager;
 use October\Rain\Exception\SystemException;
@ -56,6 +57,11 @@ class AuthManager extends RainAuthManager
     */
    protected $permissionCache = false;

+    protected function init()
+    {
+        $this->useThrottle = Config::get('auth.throttle.enabled', true);
+    }
+
    /**
     * Registers a callback function that defines authentication permissions.
     * The callback function should register permissions by calling the manager's
--- a/modules/backend/models/UserThrottle.php
+++ b/modules/backend/models/UserThrottle.php
@ -1,5 +1,6 @@
 <?php namespace Backend\Models;

+use Config;
 use October\Rain\Auth\Models\Throttle as ThrottleBase;

 /**
@ -21,4 +22,12 @@ class UserThrottle extends ThrottleBase
    public $belongsTo = [
        'user' => User::class
    ];
+
+    public function __construct()
+    {
+        parent::__construct();
+
+        static::$attemptLimit = Config::get('auth.throttle.attemptLimit', 5);
+        static::$suspensionTime = Config::get('auth.throttle.suspensionTime', 15);
+    }
 }