feat(security): add Memcached-based rate limiting for remember-token auto-login

Prevents brute-force attacks against remember-me cookies. Uses Memcached
(Cache::add + increment) to track failures per IP: 5 attempts in 15 min
window, auto-expiring via TTL. Counter resets on successful auto-login.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-14 15:57:29 +01:00
parent a3a403c2ec
commit c45c636614
3 changed files with 65 additions and 2 deletions

View File

@@ -27,7 +27,8 @@ class RememberMeService
private readonly SessionStoreInterface $sessionStore,
private readonly CookieStoreInterface $cookieStore,
private readonly RequestRuntimeInterface $requestRuntime,
private readonly ?AuthSettingsGateway $authSettingsGateway = null
private readonly ?AuthSettingsGateway $authSettingsGateway = null,
private readonly ?RememberMeRateLimiter $rateLimiter = null
) {
}
@@ -51,6 +52,14 @@ class RememberMeService
if ($value === '' || strpos($value, ':') === false) {
return false;
}
$ip = $this->requestRuntime->ip();
if ($this->rateLimiter !== null && $this->rateLimiter->isBlocked($ip)) {
$this->clearCookie();
return false;
}
[$selector, $token] = explode(':', $value, 2);
$selector = trim($selector);
$token = trim($token);
@@ -61,6 +70,7 @@ class RememberMeService
$record = $this->rememberTokenRepository->findBySelector($selector);
if (!$record) {
$this->rateLimiter?->recordFailure($ip);
$this->clearCookie();
return false;
}
@@ -74,6 +84,7 @@ class RememberMeService
$hash = (string) ($record['token_hash'] ?? '');
if ($hash === '' || !hash_equals($hash, hash('sha256', $token))) {
$this->rateLimiter?->recordFailure($ip);
$this->rememberTokenRepository->deleteById((int) $record['id']);
$this->clearCookie();
return false;
@@ -120,6 +131,8 @@ class RememberMeService
$this->rememberTokenRepository->updateToken((int) $record['id'], $newHash, $newExpires);
$this->setCookie($selector, $newToken);
$this->rateLimiter?->reset($ip);
return true;
}