Skip to content

fix(login): add per-IP brute-force throttling to tryLogin()#41584

Open
DeepDiver1975 wants to merge 4 commits into
masterfrom
security/fix-login-brute-force
Open

fix(login): add per-IP brute-force throttling to tryLogin()#41584
DeepDiver1975 wants to merge 4 commits into
masterfrom
security/fix-login-brute-force

Conversation

@DeepDiver1975
Copy link
Copy Markdown
Member

@DeepDiver1975 DeepDiver1975 commented Jun 5, 2026

Summary

  • tryLogin() had no rate limiting; CSRF token was reusable for unlimited attempts; zero throttle subscribers on the user.loginfailed event
  • Adds per-IP exponential backoff: >10 failures within 600s → 2^excess seconds sleep per attempt, capped at 25s
  • Counter stored in oc_appconfig; reset on success; disableable via login_brute_force_protection=false in config.php

Security Impact

Medium — unlimited credential stuffing / password spraying against the HTML login form

Note

This PR touches the same files as security/fix-login-user-enumeration — merge this one first.

Test plan

  • 8 new tests cover: below-threshold no-delay, above-threshold exponential delay, expired-window reset, config-disabled, counter increment, counter reset, deletion on success, delay cap
  • Existing tests stub the new throttle methods to preserve expectations
  • Run make test TEST_PHP_SUITE=core/Controller

🤖 Generated with Claude Code

@DeepDiver1975
fix(login): add per-IP brute-force throttling to tryLogin()
e1bab01 
The login endpoint had no rate limiting, account lockout, or progressive
delay. A CSRF token obtained with a single GET could be reused for
unlimited POST attempts. The emitFailedLogin() event had zero subscribers
implementing any throttling.

Add per-IP exponential backoff stored in oc_appconfig: after
BRUTE_FORCE_MAX_ATTEMPTS (10) failures within a 600s window, each
subsequent attempt costs 2^excess seconds of delay (capped at 25s).
Successful login resets the counter. Feature is disabled when
login_brute_force_protection=false in config.php.

Signed-off-by: Thomas Müller <thomas.mueller@owncloud.com>
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
@update-docs
Copy link
Copy Markdown

update-docs Bot commented Jun 5, 2026

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

@DeepDiver1975
chore: add changelog entry for #41584
0f5c996 
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
@DeepDiver1975
fix(style): add visibility keyword to constants and simplify PHPDoc t…
2478220 
…ypes

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
@DeepDiver1975
fix(test): make throttle methods public so LoginControllerTest can ca…
ce1eb1a 
…ll them directly

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DeepDiver1975