Move to rather locking down based on user accounts than on IP in

MD_STD_SEC, use class constants for more obvious code
This commit is contained in:
Joshua Ramon Enslin 2021-11-25 01:09:08 +01:00
parent 80af1ef260
commit 8f5174e90d
Signed by: jrenslin
GPG Key ID: 46016F84501B70AE

View File

@ -9,10 +9,14 @@ declare(strict_types = 1);
*/ */
final class MD_STD_SEC { final class MD_STD_SEC {
const REFRESH_TIME_GENERAL = 60; // Time until the comp. with the whole service is cleared.
const REFRESH_TIME_USER = 600; // Time until the comp. with the same username service is cleared.
const REFRESH_TIME_IP = 180; // Time until the comp. with the same IP is cleared. This should be lower than the user-level one, as people working together may be using a common IP.
const BRUTE_FORCE_DELAY_DEFAULT = 2000; // 2000 microseconds = 2 milliseconds const BRUTE_FORCE_DELAY_DEFAULT = 2000; // 2000 microseconds = 2 milliseconds
const BRUTE_FORCE_DELAY_MULTIPLIER_COMMON = 1.08; const BRUTE_FORCE_DELAY_MULTIPLIER_COMMON = 1.08;
const BRUTE_FORCE_DELAY_MULTIPLIER_PER_USER = 1.8; const BRUTE_FORCE_DELAY_MULTIPLIER_PER_USER = 2.8;
const BRUTE_FORCE_DELAY_MULTIPLIER_PER_IP = 4; const BRUTE_FORCE_DELAY_MULTIPLIER_PER_IP = 2;
/** /**
* Function for retrieving the anti-csrf token or generating it if need be. * Function for retrieving the anti-csrf token or generating it if need be.
@ -63,7 +67,7 @@ final class MD_STD_SEC {
// Unstable but working way to get the user's IP. If the IP is falsified, // Unstable but working way to get the user's IP. If the IP is falsified,
// this can't be found out anyway and security is established by _common. // this can't be found out anyway and security is established by _common.
$ip = \strval($_SERVER['REMOTE_ADDR'] ?: ($_SERVER['HTTP_X_FORWARDED_FOR'] ?: $_SERVER['HTTP_CLIENT_IP'])); $ip = \filter_var($_SERVER['REMOTE_ADDR'] ?: ($_SERVER['HTTP_X_FORWARDED_FOR'] ?: $_SERVER['HTTP_CLIENT_IP']), \FILTER_VALIDATE_IP) ?: "Failed to find";
// Set name of log file // Set name of log file
$logfile_common = \sys_get_temp_dir() . "/logins_{$tool_name}.json"; $logfile_common = \sys_get_temp_dir() . "/logins_{$tool_name}.json";
@ -82,13 +86,13 @@ final class MD_STD_SEC {
$loginLog = \json_decode(MD_STD::file_get_contents($logfile_common), \true) ?: []; $loginLog = \json_decode(MD_STD::file_get_contents($logfile_common), \true) ?: [];
// Ensure the counters exist and aren't old than 600 seconds / 10 minutes // Ensure the counters exist and aren't old than 600 seconds / 10 minutes
if (empty($loginLog['common']) || \time() - $loginLog['common']['time'] > 600) { if (empty($loginLog['common']) || \time() - $loginLog['common']['time'] > self::REFRESH_TIME_GENERAL) {
$loginLog['common'] = ["count" => 0, "time" => \time()]; $loginLog['common'] = ["count" => 0, "time" => \time()];
} }
if (empty($loginLog['usr'][$hash_user]) || \time() - $loginLog['usr'][$hash_user]['time'] > 600) { if (empty($loginLog['usr'][$hash_user]) || \time() - $loginLog['usr'][$hash_user]['time'] > self::REFRESH_TIME_USER) {
$loginLog['usr'][$hash_user] = ["count" => 0, "time" => \time()]; $loginLog['usr'][$hash_user] = ["count" => 0, "time" => \time()];
} }
if (empty($loginLog['ip'][$hash_ip]) || \time() - $loginLog['ip'][$hash_ip]['time'] > 600) { if (empty($loginLog['ip'][$hash_ip]) || \time() - $loginLog['ip'][$hash_ip]['time'] > self::REFRESH_TIME_IP) {
$loginLog['ip'][$hash_ip] = ["count" => 0, "time" => \time()]; $loginLog['ip'][$hash_ip] = ["count" => 0, "time" => \time()];
} }