Added configurable lockout for incorrect login attempts (see configuration_sample.php)

2025-08-18 20:21:29 +02:00 · 2023-01-20 09:49:03 +01:00
parent 4203b3ca7a
commit 86dcf9fc5f
5 changed files with 61 additions and 6 deletions
--- a/tests/backend/Feature/AuthTest.php
+++ b/tests/backend/Feature/AuthTest.php
@@ -39,6 +39,39 @@ class AuthTest extends TestCase
        $this->assertUnprocessable();
    }

+    public function testBruteForceLogin()
+    {
+        $this->sendRequest('POST', '/login', [
+            'username' => 'fake',
+            'password' => 'fake',
+        ], [], ['REMOTE_ADDR' => '10.10.10.10']);
+        $this->assertUnprocessable();
+
+        for ($i = 0; $i < 20; $i++) {
+            $this->sendRequest('POST', '/login', [
+                'username' => 'fake',
+                'password' => 'fake',
+            ], [], ['REMOTE_ADDR' => '10.10.10.10']);
+        }
+        $this->assertStatus(429);
+
+        for ($i = 0; $i < 20; $i++) {
+            $this->sendRequest('POST', '/login', [
+                'username' => 'fake',
+                'password' => 'fake',
+            ], [], ['REMOTE_ADDR' => '2001:db8:3333:4444:5555:6666:7777:8888']);
+        }
+        $this->assertStatus(429);
+
+
+        // new ip should be ok
+        $this->sendRequest('POST', '/login', [
+            'username' => 'fake',
+            'password' => 'fake',
+        ], [], ['REMOTE_ADDR' => '10.10.10.1']);
+        $this->assertUnprocessable();
+    }
+
    public function testAlreadyLoggedIn()
    {
        $username = 'john@example.com';
--- a/tests/backend/TestCase.php
+++ b/tests/backend/TestCase.php
@@ -52,7 +52,7 @@ class TestCase extends BaseTestCase
        return new App($config, $request, new FakeResponse(), new FakeStreamedResponse(), new Container());
    }

-    public function sendRequest($method, $uri, $data = null, $files = [])
+    public function sendRequest($method, $uri, $data = null, $files = [], $server = [])
    {
        $fakeRequest = Request::create(
            '?r='.$uri,
@@ -60,10 +60,10 @@ class TestCase extends BaseTestCase
            [],
            [],
            $files,
-            [
+            array_replace([
                'CONTENT_TYPE' => 'application/json',
                'HTTP_ACCEPT' => 'application/json',
-            ],
+            ], $server),
            json_encode($data)
        );