feat(security): add Memcached-based rate limiting for remember-token auto-login
Prevents brute-force attacks against remember-me cookies. Uses Memcached (Cache::add + increment) to track failures per IP: 5 attempts in 15 min window, auto-expiring via TTL. Counter resets on successful auto-login. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -80,7 +80,8 @@ class AuthServicesFactory
|
|||||||
$this->sessionStore,
|
$this->sessionStore,
|
||||||
$this->cookieStore,
|
$this->cookieStore,
|
||||||
$this->requestRuntime,
|
$this->requestRuntime,
|
||||||
$this->authGatewayFactory->createAuthSettingsGateway()
|
$this->authGatewayFactory->createAuthSettingsGateway(),
|
||||||
|
new RememberMeRateLimiter()
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
49
lib/Service/Auth/RememberMeRateLimiter.php
Normal file
49
lib/Service/Auth/RememberMeRateLimiter.php
Normal file
@@ -0,0 +1,49 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace MintyPHP\Service\Auth;
|
||||||
|
|
||||||
|
use MintyPHP\Cache;
|
||||||
|
|
||||||
|
class RememberMeRateLimiter
|
||||||
|
{
|
||||||
|
private const KEY_PREFIX = 'remember_rl:';
|
||||||
|
private const MAX_ATTEMPTS = 5;
|
||||||
|
private const WINDOW_SECONDS = 900; // 15 minutes
|
||||||
|
|
||||||
|
public function isBlocked(string $ip): bool
|
||||||
|
{
|
||||||
|
if ($ip === '') {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
$count = Cache::get(self::KEY_PREFIX . $ip);
|
||||||
|
|
||||||
|
return is_int($count) && $count >= self::MAX_ATTEMPTS;
|
||||||
|
}
|
||||||
|
|
||||||
|
public function recordFailure(string $ip): void
|
||||||
|
{
|
||||||
|
if ($ip === '') {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
$key = self::KEY_PREFIX . $ip;
|
||||||
|
|
||||||
|
// add() only sets if key doesn't exist — creates the window.
|
||||||
|
// If key already exists, add() returns false and we just increment.
|
||||||
|
if (Cache::add($key, 1, self::WINDOW_SECONDS)) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
Cache::increment($key);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function reset(string $ip): void
|
||||||
|
{
|
||||||
|
if ($ip === '') {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
Cache::delete(self::KEY_PREFIX . $ip);
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -27,7 +27,8 @@ class RememberMeService
|
|||||||
private readonly SessionStoreInterface $sessionStore,
|
private readonly SessionStoreInterface $sessionStore,
|
||||||
private readonly CookieStoreInterface $cookieStore,
|
private readonly CookieStoreInterface $cookieStore,
|
||||||
private readonly RequestRuntimeInterface $requestRuntime,
|
private readonly RequestRuntimeInterface $requestRuntime,
|
||||||
private readonly ?AuthSettingsGateway $authSettingsGateway = null
|
private readonly ?AuthSettingsGateway $authSettingsGateway = null,
|
||||||
|
private readonly ?RememberMeRateLimiter $rateLimiter = null
|
||||||
) {
|
) {
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -51,6 +52,14 @@ class RememberMeService
|
|||||||
if ($value === '' || strpos($value, ':') === false) {
|
if ($value === '' || strpos($value, ':') === false) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$ip = $this->requestRuntime->ip();
|
||||||
|
|
||||||
|
if ($this->rateLimiter !== null && $this->rateLimiter->isBlocked($ip)) {
|
||||||
|
$this->clearCookie();
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
[$selector, $token] = explode(':', $value, 2);
|
[$selector, $token] = explode(':', $value, 2);
|
||||||
$selector = trim($selector);
|
$selector = trim($selector);
|
||||||
$token = trim($token);
|
$token = trim($token);
|
||||||
@@ -61,6 +70,7 @@ class RememberMeService
|
|||||||
|
|
||||||
$record = $this->rememberTokenRepository->findBySelector($selector);
|
$record = $this->rememberTokenRepository->findBySelector($selector);
|
||||||
if (!$record) {
|
if (!$record) {
|
||||||
|
$this->rateLimiter?->recordFailure($ip);
|
||||||
$this->clearCookie();
|
$this->clearCookie();
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
@@ -74,6 +84,7 @@ class RememberMeService
|
|||||||
|
|
||||||
$hash = (string) ($record['token_hash'] ?? '');
|
$hash = (string) ($record['token_hash'] ?? '');
|
||||||
if ($hash === '' || !hash_equals($hash, hash('sha256', $token))) {
|
if ($hash === '' || !hash_equals($hash, hash('sha256', $token))) {
|
||||||
|
$this->rateLimiter?->recordFailure($ip);
|
||||||
$this->rememberTokenRepository->deleteById((int) $record['id']);
|
$this->rememberTokenRepository->deleteById((int) $record['id']);
|
||||||
$this->clearCookie();
|
$this->clearCookie();
|
||||||
return false;
|
return false;
|
||||||
@@ -120,6 +131,8 @@ class RememberMeService
|
|||||||
$this->rememberTokenRepository->updateToken((int) $record['id'], $newHash, $newExpires);
|
$this->rememberTokenRepository->updateToken((int) $record['id'], $newHash, $newExpires);
|
||||||
$this->setCookie($selector, $newToken);
|
$this->setCookie($selector, $newToken);
|
||||||
|
|
||||||
|
$this->rateLimiter?->reset($ip);
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user