Skip to content

Expired tokens should not trigger bruteforce protection#12140

Merged
rullzer merged 2 commits intomasterfrom
fix/expired_token_throttler
Oct 30, 2018
Merged

Expired tokens should not trigger bruteforce protection#12140
rullzer merged 2 commits intomasterfrom
fix/expired_token_throttler

Conversation

@rullzer
Copy link
Member

@rullzer rullzer commented Oct 30, 2018
edited
Loading

The first commit is a cleanup one since apparently the Exception was in the wrong namespace 🙈

Second commit is the actual fix.

Fixes #12131

@rullzer rullzer added this to the Nextcloud 15 milestone Oct 30, 2018
ChristophWurst
ChristophWurst approved these changes Oct 30, 2018
View reviewed changes
Copy link
Member

@ChristophWurst ChristophWurst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense!

Dagefoerde
Dagefoerde approved these changes Oct 30, 2018
View reviewed changes
Copy link
Member

@Dagefoerde Dagefoerde left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🐘

@rullzer rullzer force-pushed the fix/expired_token_throttler branch from 66c9507 to 8e8163c Compare October 30, 2018 13:40
@MorrisJobke MorrisJobke added 4. to release Ready to be released and/or waiting for tests to finish and removed 3. to review Waiting for reviews labels Oct 30, 2018
MorrisJobke
MorrisJobke approved these changes Oct 30, 2018
View reviewed changes
Copy link
Member

@MorrisJobke MorrisJobke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code makes sense 👍

@rullzer
Move ExpiredTokenException to the correct namespace
674930d 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
@rullzer
Error out early on an expired token
2223d19 
Fixes #12131

If we hit an expired token there is no need to continue checking. Since
we know it is a token.

We also should not register this with the bruteforce throttler as it is
actually a valid token. Just expired. Instead the authentication should
fail. And buisness continues as usual.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
@rullzer rullzer force-pushed the fix/expired_token_throttler branch from 8e8163c to 2223d19 Compare October 30, 2018 18:30
@rullzer rullzer merged commit a51c837 into master Oct 30, 2018
@rullzer rullzer deleted the fix/expired_token_throttler branch October 30, 2018 19:17
@Dagefoerde Dagefoerde mentioned this pull request Oct 31, 2018
Merged
@rullzer rullzer mentioned this pull request Nov 2, 2018
Merged
@nextcloud-bot nextcloud-bot mentioned this pull request Nov 29, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MorrisJobke MorrisJobke MorrisJobke approved these changes

@Dagefoerde Dagefoerde Dagefoerde approved these changes

@ChristophWurst ChristophWurst ChristophWurst approved these changes

Assignees

No one assigned

Labels

4. to release Ready to be released and/or waiting for tests to finish enhancement

Projects

None yet

Milestone

Nextcloud 15

Development

Successfully merging this pull request may close these issues.

Expired tokens should not trigger bruteforce protection

4 participants

@rullzer @MorrisJobke @Dagefoerde @ChristophWurst