nextcloud/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php

<?php

declare(strict_types=1);

/**
 * @copyright Copyright (c) 2023 Joas Schilling <coding@schilljs.com>
 * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
 *
 * @author Christoph Wurst <christoph@winzerhof-wurst.at>
 * @author Joas Schilling <coding@schilljs.com>
 * @author Lukas Reschke <lukas@statuscode.ch>
 *
 * @license GNU AGPL version 3 or any later version
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 *
 */
namespace OC\AppFramework\Middleware\Security;

use OC\AppFramework\Utility\ControllerMethodReflector;
use OC\Security\Bruteforce\Throttler;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\Attribute\BruteForceProtection;
use OCP\AppFramework\Http\Response;
use OCP\AppFramework\Http\TooManyRequestsResponse;
use OCP\AppFramework\Middleware;
use OCP\AppFramework\OCS\OCSException;
use OCP\AppFramework\OCSController;
use OCP\IRequest;
use OCP\Security\Bruteforce\MaxDelayReached;
use Psr\Log\LoggerInterface;
use ReflectionMethod;

/**
 * Class BruteForceMiddleware performs the bruteforce protection for controllers
 * that are annotated with @BruteForceProtection(action=$action) whereas $action
 * is the action that should be logged within the database.
 *
 * @package OC\AppFramework\Middleware\Security
 */
class BruteForceMiddleware extends Middleware {
	public function __construct(
		protected ControllerMethodReflector $reflector,
		protected Throttler $throttler,
		protected IRequest $request,
		protected LoggerInterface $logger,
	) {
	}

	/**
	 * {@inheritDoc}
	 */
	public function beforeController($controller, $methodName) {
		parent::beforeController($controller, $methodName);

		if ($this->reflector->hasAnnotation('BruteForceProtection')) {
			$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');
			$this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), $action);
		} else {
			$reflectionMethod = new ReflectionMethod($controller, $methodName);
			$attributes = $reflectionMethod->getAttributes(BruteForceProtection::class);

			if (!empty($attributes)) {
				$remoteAddress = $this->request->getRemoteAddress();

				foreach ($attributes as $attribute) {
					/** @var BruteForceProtection $protection */
					$protection = $attribute->newInstance();
					$action = $protection->getAction();
					$this->throttler->sleepDelayOrThrowOnMax($remoteAddress, $action);
				}
			}
		}
	}

	/**
	 * {@inheritDoc}
	 */
	public function afterController($controller, $methodName, Response $response) {
		if ($response->isThrottled()) {
			try {
				if ($this->reflector->hasAnnotation('BruteForceProtection')) {
					$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');
					$ip = $this->request->getRemoteAddress();
					$this->throttler->registerAttempt($action, $ip, $response->getThrottleMetadata());
					$this->throttler->sleepDelayOrThrowOnMax($ip, $action);
				} else {
					$reflectionMethod = new ReflectionMethod($controller, $methodName);
					$attributes = $reflectionMethod->getAttributes(BruteForceProtection::class);

					if (!empty($attributes)) {
						$ip = $this->request->getRemoteAddress();
						$metaData = $response->getThrottleMetadata();

						foreach ($attributes as $attribute) {
							/** @var BruteForceProtection $protection */
							$protection = $attribute->newInstance();
							$action = $protection->getAction();

							if (!isset($metaData['action']) || $metaData['action'] === $action) {
								$this->throttler->registerAttempt($action, $ip, $metaData);
								$this->throttler->sleepDelayOrThrowOnMax($ip, $action);
							}
						}
					} else {
						$this->logger->debug('Response for ' . get_class($controller) . '::' . $methodName . ' got bruteforce throttled but has no annotation nor attribute defined.');
					}
				}
			} catch (MaxDelayReached $e) {
				if ($controller instanceof OCSController) {
					throw new OCSException($e->getMessage(), Http::STATUS_TOO_MANY_REQUESTS);
				}

				return new TooManyRequestsResponse();
			}
		}

		return parent::afterController($controller, $methodName, $response);
	}

	/**
	 * @param Controller $controller
	 * @param string $methodName
	 * @param \Exception $exception
	 * @throws \Exception
	 * @return Response
	 */
	public function afterException($controller, $methodName, \Exception $exception): Response {
		if ($exception instanceof MaxDelayReached) {
			if ($controller instanceof OCSController) {
				throw new OCSException($exception->getMessage(), Http::STATUS_TOO_MANY_REQUESTS);
			}

			return new TooManyRequestsResponse();
		}

		throw $exception;
	}
}
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`<?php`
Fix CS Signed-off-by: Joas Schilling <coding@schilljs.com> 2020-07-09 06:25:57 -04:00
Send "429 Too Many Requests" in case of brute force protection Signed-off-by: Joas Schilling <coding@schilljs.com> 2020-03-19 07:09:57 -04:00			`declare(strict_types=1);`
Update the license headers for Nextcloud 20 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-08-24 08:54:25 -04:00
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`/**`
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-02-28 16:26:22 -05:00			`* @copyright Copyright (c) 2023 Joas Schilling <coding@schilljs.com>`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>`
			`*`
Update license headers for 19 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-04-29 05:57:22 -04:00			`* @author Christoph Wurst <christoph@winzerhof-wurst.at>`
Update the license headers for Nextcloud 20 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-08-24 08:54:25 -04:00			`* @author Joas Schilling <coding@schilljs.com>`
Update license headers Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2017-11-06 09:56:42 -05:00			`* @author Lukas Reschke <lukas@statuscode.ch>`
			`*`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`* @license GNU AGPL version 3 or any later version`
			`*`
			`* This program is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU Affero General Public License as`
			`* published by the Free Software Foundation, either version 3 of the`
			`* License, or (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
Update php licenses Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com> 2021-06-04 15:52:51 -04:00			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`* GNU Affero General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Affero General Public License`
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2019-12-03 13:57:53 -05:00			`* along with this program. If not, see <http://www.gnu.org/licenses/>.`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`*`
			`*/`
			`namespace OC\AppFramework\Middleware\Security;`

			`use OC\AppFramework\Utility\ControllerMethodReflector;`
			`use OC\Security\Bruteforce\Throttler;`
Send "429 Too Many Requests" in case of brute force protection Signed-off-by: Joas Schilling <coding@schilljs.com> 2020-03-19 07:09:57 -04:00			`use OCP\AppFramework\Controller;`
			`use OCP\AppFramework\Http;`
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-02-28 16:26:22 -05:00			`use OCP\AppFramework\Http\Attribute\BruteForceProtection;`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`use OCP\AppFramework\Http\Response;`
Send "429 Too Many Requests" in case of brute force protection Signed-off-by: Joas Schilling <coding@schilljs.com> 2020-03-19 07:09:57 -04:00			`use OCP\AppFramework\Http\TooManyRequestsResponse;`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`use OCP\AppFramework\Middleware;`
Send "429 Too Many Requests" in case of brute force protection Signed-off-by: Joas Schilling <coding@schilljs.com> 2020-03-19 07:09:57 -04:00			`use OCP\AppFramework\OCS\OCSException;`
			`use OCP\AppFramework\OCSController;`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`use OCP\IRequest;`
Send "429 Too Many Requests" in case of brute force protection Signed-off-by: Joas Schilling <coding@schilljs.com> 2020-03-19 07:09:57 -04:00			`use OCP\Security\Bruteforce\MaxDelayReached;`
Add a debug message when throttling without defining Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-03-08 06:08:53 -05:00			`use Psr\Log\LoggerInterface;`
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-02-28 16:26:22 -05:00			`use ReflectionMethod;`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00
			`/**`
			`* Class BruteForceMiddleware performs the bruteforce protection for controllers`
			`* that are annotated with @BruteForceProtection(action=$action) whereas $action`
			`* is the action that should be logged within the database.`
			`*`
			`* @package OC\AppFramework\Middleware\Security`
			`*/`
			`class BruteForceMiddleware extends Middleware {`
Add a debug message when throttling without defining Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-03-08 06:08:53 -05:00			`public function __construct(`
			`protected ControllerMethodReflector $reflector,`
			`protected Throttler $throttler,`
			`protected IRequest $request,`
			`protected LoggerInterface $logger,`
			`) {`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`}`

			`/**`
			`* {@inheritDoc}`
			`*/`
Remove explicit type hints for Controller This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-08-01 11:32:03 -04:00			`public function beforeController($controller, $methodName) {`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`parent::beforeController($controller, $methodName);`

Format control structures, classes, methods and function To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-04-10 08:19:56 -04:00			`if ($this->reflector->hasAnnotation('BruteForceProtection')) {`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');`
Send "429 Too Many Requests" in case of brute force protection Signed-off-by: Joas Schilling <coding@schilljs.com> 2020-03-19 07:09:57 -04:00			`$this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), $action);`
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-02-28 16:26:22 -05:00			`} else {`
			`$reflectionMethod = new ReflectionMethod($controller, $methodName);`
			`$attributes = $reflectionMethod->getAttributes(BruteForceProtection::class);`

			`if (!empty($attributes)) {`
			`$remoteAddress = $this->request->getRemoteAddress();`

			`foreach ($attributes as $attribute) {`
			`/** @var BruteForceProtection $protection */`
			`$protection = $attribute->newInstance();`
			`$action = $protection->getAction();`
			`$this->throttler->sleepDelayOrThrowOnMax($remoteAddress, $action);`
			`}`
			`}`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`}`
			`}`

			`/**`
			`* {@inheritDoc}`
			`*/`
Remove explicit type hints for Controller This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-08-01 11:32:03 -04:00			`public function afterController($controller, $methodName, Response $response) {`
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-02-28 16:26:22 -05:00			`if ($response->isThrottled()) {`
fix(middleware): Also abort the request when reaching max delay in afterController Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-05-11 03:17:30 -04:00			`try {`
			`if ($this->reflector->hasAnnotation('BruteForceProtection')) {`
			`$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');`
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-02-28 16:26:22 -05:00			`$ip = $this->request->getRemoteAddress();`
fix(middleware): Also abort the request when reaching max delay in afterController Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-05-11 03:17:30 -04:00			`$this->throttler->registerAttempt($action, $ip, $response->getThrottleMetadata());`
			`$this->throttler->sleepDelayOrThrowOnMax($ip, $action);`
			`} else {`
			`$reflectionMethod = new ReflectionMethod($controller, $methodName);`
			`$attributes = $reflectionMethod->getAttributes(BruteForceProtection::class);`

			`if (!empty($attributes)) {`
			`$ip = $this->request->getRemoteAddress();`
			`$metaData = $response->getThrottleMetadata();`

			`foreach ($attributes as $attribute) {`
			`/** @var BruteForceProtection $protection */`
			`$protection = $attribute->newInstance();`
			`$action = $protection->getAction();`

			`if (!isset($metaData['action']) \|\| $metaData['action'] === $action) {`
			`$this->throttler->registerAttempt($action, $ip, $metaData);`
			`$this->throttler->sleepDelayOrThrowOnMax($ip, $action);`
			`}`
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-02-28 16:26:22 -05:00			`}`
fix(middleware): Also abort the request when reaching max delay in afterController Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-05-11 03:17:30 -04:00			`} else {`
			`$this->logger->debug('Response for ' . get_class($controller) . '::' . $methodName . ' got bruteforce throttled but has no annotation nor attribute defined.');`
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-02-28 16:26:22 -05:00			`}`
			`}`
fix(middleware): Also abort the request when reaching max delay in afterController Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-05-11 03:17:30 -04:00			`} catch (MaxDelayReached $e) {`
			`if ($controller instanceof OCSController) {`
			`throw new OCSException($e->getMessage(), Http::STATUS_TOO_MANY_REQUESTS);`
			`}`

			`return new TooManyRequestsResponse();`
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-02-28 16:26:22 -05:00			`}`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`}`

			`return parent::afterController($controller, $methodName, $response);`
			`}`
Send "429 Too Many Requests" in case of brute force protection Signed-off-by: Joas Schilling <coding@schilljs.com> 2020-03-19 07:09:57 -04:00
			`/**`
			`* @param Controller $controller`
			`* @param string $methodName`
			`* @param \Exception $exception`
			`* @throws \Exception`
			`* @return Response`
			`*/`
			`public function afterException($controller, $methodName, \Exception $exception): Response {`
			`if ($exception instanceof MaxDelayReached) {`
			`if ($controller instanceof OCSController) {`
			`throw new OCSException($exception->getMessage(), Http::STATUS_TOO_MANY_REQUESTS);`
			`}`

			`return new TooManyRequestsResponse();`
			`}`

			`throw $exception;`
			`}`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`}`