From 8f5174e90dd239d4cf282966f9d4109983ab8c37 Mon Sep 17 00:00:00 2001
From: Joshua Ramon Enslin <joshua@museum-digital.de>
Date: Thu, 25 Nov 2021 01:09:08 +0100
Subject: [PATCH] Move to rather locking down based on user accounts than on IP
 in MD_STD_SEC, use class constants for more obvious code

---
 src/MD_STD_SEC.php | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/MD_STD_SEC.php b/src/MD_STD_SEC.php
index 9b6af10..0e00dd8 100644
--- a/src/MD_STD_SEC.php
+++ b/src/MD_STD_SEC.php
@@ -9,10 +9,14 @@ declare(strict_types = 1);
  */
 final class MD_STD_SEC {
 
+    const REFRESH_TIME_GENERAL = 60; // Time until the comp. with the whole service is cleared.
+    const REFRESH_TIME_USER = 600;   // Time until the comp. with the same username service is cleared.
+    const REFRESH_TIME_IP = 180;     // Time until the comp. with the same IP is cleared. This should be lower than the user-level one, as people working together may be using a common IP.
+
     const BRUTE_FORCE_DELAY_DEFAULT = 2000; // 2000 microseconds = 2 milliseconds
     const BRUTE_FORCE_DELAY_MULTIPLIER_COMMON   = 1.08;
-    const BRUTE_FORCE_DELAY_MULTIPLIER_PER_USER = 1.8;
-    const BRUTE_FORCE_DELAY_MULTIPLIER_PER_IP = 4;
+    const BRUTE_FORCE_DELAY_MULTIPLIER_PER_USER = 2.8;
+    const BRUTE_FORCE_DELAY_MULTIPLIER_PER_IP = 2;
 
     /**
      * Function for retrieving the anti-csrf token or generating it if need be.
@@ -63,7 +67,7 @@ final class MD_STD_SEC {
 
         // Unstable but working way to get the user's IP. If the IP is falsified,
         // this can't be found out anyway and security is established by _common.
-        $ip = \strval($_SERVER['REMOTE_ADDR'] ?: ($_SERVER['HTTP_X_FORWARDED_FOR'] ?: $_SERVER['HTTP_CLIENT_IP']));
+        $ip = \filter_var($_SERVER['REMOTE_ADDR'] ?: ($_SERVER['HTTP_X_FORWARDED_FOR'] ?: $_SERVER['HTTP_CLIENT_IP']), \FILTER_VALIDATE_IP) ?: "Failed to find";
 
         // Set name of log file
         $logfile_common = \sys_get_temp_dir() . "/logins_{$tool_name}.json";
@@ -82,13 +86,13 @@ final class MD_STD_SEC {
         $loginLog = \json_decode(MD_STD::file_get_contents($logfile_common), \true) ?: [];
 
         // Ensure the counters exist and aren't old than 600 seconds / 10 minutes
-        if (empty($loginLog['common']) || \time() - $loginLog['common']['time'] > 600) {
+        if (empty($loginLog['common']) || \time() - $loginLog['common']['time'] > self::REFRESH_TIME_GENERAL) {
             $loginLog['common'] = ["count" => 0, "time" => \time()];
         }
-        if (empty($loginLog['usr'][$hash_user]) || \time() - $loginLog['usr'][$hash_user]['time'] > 600) {
+        if (empty($loginLog['usr'][$hash_user]) || \time() - $loginLog['usr'][$hash_user]['time'] > self::REFRESH_TIME_USER) {
             $loginLog['usr'][$hash_user] = ["count" => 0, "time" => \time()];
         }
-        if (empty($loginLog['ip'][$hash_ip]) || \time() - $loginLog['ip'][$hash_ip]['time'] > 600) {
+        if (empty($loginLog['ip'][$hash_ip]) || \time() - $loginLog['ip'][$hash_ip]['time'] > self::REFRESH_TIME_IP) {
             $loginLog['ip'][$hash_ip] = ["count" => 0, "time" => \time()];
         }