From 880d5655cb1d70f1b41c6bfe2915db97bfd0eaed Mon Sep 17 00:00:00 2001 From: Roan Kattouw Date: Tue, 26 Aug 2008 22:18:24 +0000 Subject: [PATCH] API: Remove the throttle from ApiLogin because * it's been obsoleted by a similar throttle in core * it uses time(), which causes problems when you have multiple servers with a significant clock skew between them --- includes/api/ApiLogin.php | 109 -------------------------------------- 1 file changed, 109 deletions(-) diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php index 2e90b56ff6..1726ef117e 100644 --- a/includes/api/ApiLogin.php +++ b/includes/api/ApiLogin.php @@ -36,23 +36,6 @@ if (!defined('MEDIAWIKI')) { */ class ApiLogin extends ApiBase { - /** - * Time (in seconds) a user must wait after submitting - * a bad login (will be multiplied by the THROTTLE_FACTOR for each bad attempt) - */ - const THROTTLE_TIME = 5; - - /** - * The factor by which the wait-time in between authentication - * attempts is increased every failed attempt. - */ - const THROTTLE_FACTOR = 2; - - /** - * The maximum number of failed logins after which the wait increase stops. - */ - const THOTTLE_MAX_COUNT = 10; - public function __construct($main, $action) { parent :: __construct($main, $action, 'lg'); } @@ -74,16 +57,6 @@ class ApiLogin extends ApiBase { $result = array (); - // Make sure noone is trying to guess the password brut-force - $nextLoginIn = $this->getNextLoginTimeout(); - if ($nextLoginIn > 0) { - $result['result'] = 'NeedToWait'; - $result['details'] = "Please wait $nextLoginIn seconds before next log-in attempt"; - $result['wait'] = $nextLoginIn; - $this->getResult()->addValue(null, 'login', $result); - return; - } - $params = new FauxRequest(array ( 'wpName' => $name, 'wpPassword' => $password, @@ -146,91 +119,9 @@ class ApiLogin extends ApiBase { ApiBase :: dieDebug(__METHOD__, "Unhandled case value: {$authRes}"); } - if ($result['result'] != 'Success' && !isset( $result['details'] ) ) { - $delay = $this->cacheBadLogin(); - $result['wait'] = $delay; - $result['details'] = "Please wait " . $delay . " seconds before next log-in attempt"; - } - // if we were allowed to try to login, memcache is fine - $this->getResult()->addValue(null, 'login', $result); } - - /** - * Caches a bad-login attempt associated with the host and with an - * expiry of $this->mLoginThrottle. These are cached by a key - * separate from that used by the captcha system--as such, logging - * in through the standard interface will get you a legal session - * and cookies to prove it, but will not remove this entry. - * - * Returns the number of seconds until next login attempt will be allowed. - * - * @access private - */ - private function cacheBadLogin() { - global $wgMemc; - - $key = $this->getMemCacheKey(); - $val = $wgMemc->get( $key ); - - $val['lastReqTime'] = time(); - if (!isset($val['count'])) { - $val['count'] = 1; - } else { - $val['count'] = 1 + $val['count']; - } - - $delay = ApiLogin::calculateDelay($val['count']); - - $wgMemc->delete($key); - // Cache expiration should be the maximum timeout - to prevent a "try and wait" attack - $wgMemc->add( $key, $val, ApiLogin::calculateDelay(ApiLogin::THOTTLE_MAX_COUNT) ); - - return $delay; - } - - /** - * How much time the client must wait before it will be - * allowed to try to log-in next. - * The return value is 0 if no wait is required. - */ - private function getNextLoginTimeout() { - global $wgMemc; - - $val = $wgMemc->get($this->getMemCacheKey()); - - $elapse = (time() - $val['lastReqTime']); // in seconds - $canRetryIn = ApiLogin::calculateDelay($val['count']) - $elapse; - - return $canRetryIn < 0 ? 0 : $canRetryIn; - } - - /** - * Based on the number of previously attempted logins, returns - * the delay (in seconds) when the next login attempt will be allowed. - */ - private static function calculateDelay($count) { - // Defensive programming - $count = intval($count); - $count = $count < 1 ? 1 : $count; - $count = $count > self::THOTTLE_MAX_COUNT ? self::THOTTLE_MAX_COUNT : $count; - - return self::THROTTLE_TIME + self::THROTTLE_TIME * ($count - 1) * self::THROTTLE_FACTOR; - } - - /** - * Internal cache key for badlogin checks. Robbed from the - * ConfirmEdit extension and modified to use a key unique to the - * API login.3 - * - * @return string - * @access private - */ - private function getMemCacheKey() { - return wfMemcKey( 'apilogin', 'badlogin', 'ip', wfGetIP() ); - } - public function mustBePosted() { return true; } public function getAllowedParams() { -- 2.20.1