From 8ed5e93cd2f6fff4eee09e00424e820a73c5e6b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C4=93teris=20Caune?= Date: Fri, 30 Jul 2021 17:30:28 +0300 Subject: [PATCH] Add rate limiting for TOTP auth attempts --- hc/accounts/tests/test_login_totp.py | 9 +++++++++ hc/accounts/views.py | 3 +++ hc/api/models.py | 8 ++++++++ 3 files changed, 20 insertions(+) diff --git a/hc/accounts/tests/test_login_totp.py b/hc/accounts/tests/test_login_totp.py index 8c70985e..ed0ed767 100644 --- a/hc/accounts/tests/test_login_totp.py +++ b/hc/accounts/tests/test_login_totp.py @@ -1,6 +1,7 @@ import time from unittest.mock import patch +from hc.api.models import TokenBucket from hc.test import BaseTestCase @@ -75,3 +76,11 @@ class LoginTotpTestCase(BaseTestCase): r = self.client.post(self.url, {"code": "000000"}) self.assertContains(r, "The code you entered was incorrect.") + + def test_it_uses_rate_limiting(self): + obj = TokenBucket(value=f"totp-{self.alice.id}") + obj.tokens = 0 + obj.save() + + r = self.client.post(self.url, {"code": "000000"}) + self.assertContains(r, "Too Many Requests") diff --git a/hc/accounts/views.py b/hc/accounts/views.py index 2a541a33..d173ce42 100644 --- a/hc/accounts/views.py +++ b/hc/accounts/views.py @@ -848,6 +848,9 @@ def login_totp(request): totp = pyotp.totp.TOTP(user.profile.totp) if request.method == "POST": + if not TokenBucket.authorize_totp(user): + return render(request, "try_later.html") + form = forms.TotpForm(totp, request.POST) if form.is_valid(): request.session.pop("2fa_user") diff --git a/hc/api/models.py b/hc/api/models.py index 6b8dddff..bfbf3b8f 100644 --- a/hc/api/models.py +++ b/hc/api/models.py @@ -983,3 +983,11 @@ class TokenBucket(models.Model): # 10 sudo attempts per day return TokenBucket.authorize(value, 10, 3600 * 24) + + @staticmethod + def authorize_totp(user): + value = "totp-%d" % user.id + + # 96 attempts per 24 hours + # (or, on average, one attempt per 15 minutes) + return TokenBucket.authorize(value, 96, 3600 * 24)