DRCIT/snipe-it
1
0
Fork 0
mirror of https://github.com/snipe/snipe-it.git synced 2025-01-11 22:07:29 -08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Fixes #2995 - adds max login attempts/duration as .env option

Browse source
This commit is contained in:
snipe 2016-12-01 02:04:15 -08:00
parent d8d800bb7a
commit 3f8f6ad981
4 changed files with 66 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
.env.example
View file

@ -79,6 +79,11 @@ AWS_KEY=null
AWS_REGION=null AWS_REGION=null
AWS_BUCKET=null AWS_BUCKET=null
# --------------------------------------------
# OPTIONAL: LOGIN THROTTLING
# --------------------------------------------
LOGIN_MAX_ATTEMPTS=5
LOGIN_LOCKOUT_DURATION=60
# -------------------------------------------- # --------------------------------------------
# OPTIONAL: MISC # OPTIONAL: MISC

46
app/Http/Controllers/Auth/AuthController.php
View file

@ -5,6 +5,7 @@ namespace App\Http\Controllers\Auth;
use Validator; use Validator;
use App\Http\Controllers\Controller; use App\Http\Controllers\Controller;
use Illuminate\Foundation\Auth\ThrottlesLogins; use Illuminate\Foundation\Auth\ThrottlesLogins;
use Illuminate\Foundation\Auth\AuthenticatesAndRegistersUsers;
use App\Models\Setting; use App\Models\Setting;
use App\Models\Ldap; use App\Models\Ldap;
use App\Models\User; use App\Models\User;
@ -30,7 +31,7 @@ use PragmaRX\Google2FA\Google2FA;
class AuthController extends Controller class AuthController extends Controller
{ {
use ThrottlesLogins; use AuthenticatesAndRegistersUsers, ThrottlesLogins;
// This tells the auth controller to use username instead of email address // This tells the auth controller to use username instead of email address
protected $username = 'username'; protected $username = 'username';
@ -53,9 +54,10 @@ class AuthController extends Controller
} }
function showLoginForm() function showLoginForm(Request $request)
{ {
// Is the user logged in?
// Is the user logged in?
if (Auth::check()) { if (Auth::check()) {
return redirect()->intended('dashboard'); return redirect()->intended('dashboard');
} }
@ -123,6 +125,20 @@ class AuthController extends Controller
if ($validator->fails()) { if ($validator->fails()) {
return redirect()->back()->withInput()->withErrors($validator); return redirect()->back()->withInput()->withErrors($validator);
} }
// If the class is using the ThrottlesLogins trait, we can automatically throttle
// the login attempts for this application. We'll key this by the username and
// the IP address of the client making these requests into this application.
$throttles = $this->isUsingThrottlesLoginsTrait();
$this->maxLoginAttempts = config('auth.throttle.max_attempts');
$this->lockoutTime = config('auth.throttle.lockout_duration');
if ($throttles && $lockedOut = $this->hasTooManyLoginAttempts($request)) {
$this->fireLockoutEvent($request);
return $this->sendLockoutResponse($request);
}
$user = null; $user = null;
// Should we even check for LDAP users? // Should we even check for LDAP users?
@ -144,8 +160,17 @@ class AuthController extends Controller
LOG::debug("Authenticating user against database."); LOG::debug("Authenticating user against database.");
// Try to log the user in // Try to log the user in
if (!Auth::attempt(Input::only('username', 'password'), Input::get('remember-me', 0))) { if (!Auth::attempt(Input::only('username', 'password'), Input::get('remember-me', 0))) {
if ($throttles && ! $lockedOut) {
$this->incrementLoginAttempts($request);
}
LOG::debug("Local authentication failed."); LOG::debug("Local authentication failed.");
return redirect()->back()->withInput()->with('error', trans('auth/message.account_not_found')); return redirect()->back()->withInput()->with('error', trans('auth/message.account_not_found'));
} else {
if ($throttles) {
$this->clearLoginAttempts($request);
}
} }
} }
@ -258,4 +283,19 @@ class AuthController extends Controller
'password' => 'required', 'password' => 'required',
]); ]);
} }
/**
* Get the login lockout error message.
*
* @param int $seconds
* @return string
*/
protected function getLockoutErrorMessage($seconds)
{
return \Lang::has('auth/message.throttle')
? \Lang::get('auth/message.throttle', ['seconds' => $seconds])
: 'Too many login attempts. Please try again in '.$seconds.' seconds.';
}
} }

17
config/auth.php
View file

@ -104,4 +104,21 @@ return [
], ],
], ],
/*
|--------------------------------------------------------------------------
| Login throttling
|--------------------------------------------------------------------------
|
| This handles the max failed login attempt throttling.
| You should not change the values here, but should change them in your
| application's .env file instead, as future changes to this file could
| overwrite your changes here.
|
*/
'throttle' => [
'max_attempts' => env('LOGIN_MAX_ATTEMPTS', 10),
'lockout_duration' => env('LOGIN_LOCKOUT_DURATION', 60),
],
]; ];

1
resources/lang/en/auth/message.php
View file

@ -7,6 +7,7 @@ return array(
'account_not_activated' => 'This user account is not activated.', 'account_not_activated' => 'This user account is not activated.',
'account_suspended' => 'This user account is suspended.', 'account_suspended' => 'This user account is suspended.',
'account_banned' => 'This user account is banned.', 'account_banned' => 'This user account is banned.',
'throttle' => 'Too many failed login attempts. Please try again in :seconds seconds.',
'signin' => array( 'signin' => array(
'error' => 'There was a problem while trying to log you in, please try again.', 'error' => 'There was a problem while trying to log you in, please try again.',