nextcloud/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php

<?php

declare(strict_types=1);

/**
 * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */
namespace OC\AppFramework\Middleware\Security;

use OC\AppFramework\Utility\ControllerMethodReflector;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\Attribute\BruteForceProtection;
use OCP\AppFramework\Http\Response;
use OCP\AppFramework\Http\TooManyRequestsResponse;
use OCP\AppFramework\Middleware;
use OCP\AppFramework\OCS\OCSException;
use OCP\AppFramework\OCSController;
use OCP\IRequest;
use OCP\Security\Bruteforce\IThrottler;
use OCP\Security\Bruteforce\MaxDelayReached;
use Psr\Log\LoggerInterface;
use ReflectionMethod;

/**
 * Class BruteForceMiddleware performs the bruteforce protection for controllers
 * that are annotated with @BruteForceProtection(action=$action) whereas $action
 * is the action that should be logged within the database.
 *
 * @package OC\AppFramework\Middleware\Security
 */
class BruteForceMiddleware extends Middleware {
	private int $delaySlept = 0;

	public function __construct(
		protected ControllerMethodReflector $reflector,
		protected IThrottler $throttler,
		protected IRequest $request,
		protected LoggerInterface $logger,
	) {
	}

	/**
	 * {@inheritDoc}
	 */
	public function beforeController($controller, $methodName) {
		parent::beforeController($controller, $methodName);

		if ($this->reflector->hasAnnotation('BruteForceProtection')) {
			$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');
			$this->delaySlept += $this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), $action);
		} else {
			$reflectionMethod = new ReflectionMethod($controller, $methodName);
			$attributes = $reflectionMethod->getAttributes(BruteForceProtection::class);

			if (!empty($attributes)) {
				$remoteAddress = $this->request->getRemoteAddress();

				foreach ($attributes as $attribute) {
					/** @var BruteForceProtection $protection */
					$protection = $attribute->newInstance();
					$action = $protection->getAction();
					$this->delaySlept += $this->throttler->sleepDelayOrThrowOnMax($remoteAddress, $action);
				}
			}
		}
	}

	/**
	 * {@inheritDoc}
	 */
	public function afterController($controller, $methodName, Response $response) {
		if ($response->isThrottled()) {
			try {
				if ($this->reflector->hasAnnotation('BruteForceProtection')) {
					$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');
					$ip = $this->request->getRemoteAddress();
					$this->throttler->registerAttempt($action, $ip, $response->getThrottleMetadata());
					$this->delaySlept += $this->throttler->sleepDelayOrThrowOnMax($ip, $action);
				} else {
					$reflectionMethod = new ReflectionMethod($controller, $methodName);
					$attributes = $reflectionMethod->getAttributes(BruteForceProtection::class);

					if (!empty($attributes)) {
						$ip = $this->request->getRemoteAddress();
						$metaData = $response->getThrottleMetadata();

						foreach ($attributes as $attribute) {
							/** @var BruteForceProtection $protection */
							$protection = $attribute->newInstance();
							$action = $protection->getAction();

							if (!isset($metaData['action']) || $metaData['action'] === $action) {
								$this->throttler->registerAttempt($action, $ip, $metaData);
								$this->delaySlept += $this->throttler->sleepDelayOrThrowOnMax($ip, $action);
							}
						}
					} else {
						$this->logger->debug('Response for ' . get_class($controller) . '::' . $methodName . ' got bruteforce throttled but has no annotation nor attribute defined.');
					}
				}
			} catch (MaxDelayReached $e) {
				if ($controller instanceof OCSController) {
					throw new OCSException($e->getMessage(), Http::STATUS_TOO_MANY_REQUESTS);
				}

				return new TooManyRequestsResponse();
			}
		}

		if ($this->delaySlept) {
			$response->addHeader('X-Nextcloud-Bruteforce-Throttled', $this->delaySlept . 'ms');
		}

		return parent::afterController($controller, $methodName, $response);
	}

	/**
	 * @param Controller $controller
	 * @param string $methodName
	 * @param \Exception $exception
	 * @throws \Exception
	 * @return Response
	 */
	public function afterException($controller, $methodName, \Exception $exception): Response {
		if ($exception instanceof MaxDelayReached) {
			if ($controller instanceof OCSController) {
				throw new OCSException($exception->getMessage(), Http::STATUS_TOO_MANY_REQUESTS);
			}

			return new TooManyRequestsResponse();
		}

		throw $exception;
	}
}
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`<?php`
Fix CS Signed-off-by: Joas Schilling <coding@schilljs.com> 2020-07-09 06:25:57 -04:00
Send "429 Too Many Requests" in case of brute force protection Signed-off-by: Joas Schilling <coding@schilljs.com> 2020-03-19 07:09:57 -04:00			`declare(strict_types=1);`
Update the license headers for Nextcloud 20 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-08-24 08:54:25 -04:00
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`/**`
chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de> 2024-05-23 03:26:56 -04:00			`* SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors`
			`* SPDX-License-Identifier: AGPL-3.0-or-later`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`*/`
			`namespace OC\AppFramework\Middleware\Security;`

			`use OC\AppFramework\Utility\ControllerMethodReflector;`
Send "429 Too Many Requests" in case of brute force protection Signed-off-by: Joas Schilling <coding@schilljs.com> 2020-03-19 07:09:57 -04:00			`use OCP\AppFramework\Controller;`
			`use OCP\AppFramework\Http;`
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-02-28 16:26:22 -05:00			`use OCP\AppFramework\Http\Attribute\BruteForceProtection;`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`use OCP\AppFramework\Http\Response;`
Send "429 Too Many Requests" in case of brute force protection Signed-off-by: Joas Schilling <coding@schilljs.com> 2020-03-19 07:09:57 -04:00			`use OCP\AppFramework\Http\TooManyRequestsResponse;`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`use OCP\AppFramework\Middleware;`
Send "429 Too Many Requests" in case of brute force protection Signed-off-by: Joas Schilling <coding@schilljs.com> 2020-03-19 07:09:57 -04:00			`use OCP\AppFramework\OCS\OCSException;`
			`use OCP\AppFramework\OCSController;`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`use OCP\IRequest;`
techdebt(DI): Use public IThrottler interface which exists since Nextcloud 25 Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-08-28 09:50:45 -04:00			`use OCP\Security\Bruteforce\IThrottler;`
Send "429 Too Many Requests" in case of brute force protection Signed-off-by: Joas Schilling <coding@schilljs.com> 2020-03-19 07:09:57 -04:00			`use OCP\Security\Bruteforce\MaxDelayReached;`
Add a debug message when throttling without defining Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-03-08 06:08:53 -05:00			`use Psr\Log\LoggerInterface;`
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-02-28 16:26:22 -05:00			`use ReflectionMethod;`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00
			`/**`
			`* Class BruteForceMiddleware performs the bruteforce protection for controllers`
			`* that are annotated with @BruteForceProtection(action=$action) whereas $action`
			`* is the action that should be logged within the database.`
			`*`
			`* @package OC\AppFramework\Middleware\Security`
			`*/`
			`class BruteForceMiddleware extends Middleware {`
feat: Add a header which signals that the request was throttled Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-08-14 13:16:31 -04:00			`private int $delaySlept = 0;`

Add a debug message when throttling without defining Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-03-08 06:08:53 -05:00			`public function __construct(`
			`protected ControllerMethodReflector $reflector,`
techdebt(DI): Use public IThrottler interface which exists since Nextcloud 25 Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-08-28 09:50:45 -04:00			`protected IThrottler $throttler,`
Add a debug message when throttling without defining Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-03-08 06:08:53 -05:00			`protected IRequest $request,`
			`protected LoggerInterface $logger,`
			`) {`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`}`

			`/**`
			`* {@inheritDoc}`
			`*/`
Remove explicit type hints for Controller This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-08-01 11:32:03 -04:00			`public function beforeController($controller, $methodName) {`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`parent::beforeController($controller, $methodName);`

			`if ($this->reflector->hasAnnotation('BruteForceProtection')) {`
			`$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');`
feat: Add a header which signals that the request was throttled Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-08-14 13:16:31 -04:00			`$this->delaySlept += $this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), $action);`
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-02-28 16:26:22 -05:00			`} else {`
			`$reflectionMethod = new ReflectionMethod($controller, $methodName);`
			`$attributes = $reflectionMethod->getAttributes(BruteForceProtection::class);`

			`if (!empty($attributes)) {`
			`$remoteAddress = $this->request->getRemoteAddress();`

			`foreach ($attributes as $attribute) {`
			`/** @var BruteForceProtection $protection */`
			`$protection = $attribute->newInstance();`
			`$action = $protection->getAction();`
feat: Add a header which signals that the request was throttled Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-08-14 13:16:31 -04:00			`$this->delaySlept += $this->throttler->sleepDelayOrThrowOnMax($remoteAddress, $action);`
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-02-28 16:26:22 -05:00			`}`
			`}`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`}`
			`}`

			`/**`
			`* {@inheritDoc}`
			`*/`
Remove explicit type hints for Controller This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-08-01 11:32:03 -04:00			`public function afterController($controller, $methodName, Response $response) {`
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-02-28 16:26:22 -05:00			`if ($response->isThrottled()) {`
fix(middleware): Also abort the request when reaching max delay in afterController Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-05-11 03:17:30 -04:00			`try {`
			`if ($this->reflector->hasAnnotation('BruteForceProtection')) {`
			`$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');`
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-02-28 16:26:22 -05:00			`$ip = $this->request->getRemoteAddress();`
fix(middleware): Also abort the request when reaching max delay in afterController Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-05-11 03:17:30 -04:00			`$this->throttler->registerAttempt($action, $ip, $response->getThrottleMetadata());`
feat: Add a header which signals that the request was throttled Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-08-14 13:16:31 -04:00			`$this->delaySlept += $this->throttler->sleepDelayOrThrowOnMax($ip, $action);`
fix(middleware): Also abort the request when reaching max delay in afterController Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-05-11 03:17:30 -04:00			`} else {`
			`$reflectionMethod = new ReflectionMethod($controller, $methodName);`
			`$attributes = $reflectionMethod->getAttributes(BruteForceProtection::class);`

			`if (!empty($attributes)) {`
			`$ip = $this->request->getRemoteAddress();`
			`$metaData = $response->getThrottleMetadata();`

			`foreach ($attributes as $attribute) {`
			`/** @var BruteForceProtection $protection */`
			`$protection = $attribute->newInstance();`
			`$action = $protection->getAction();`

			`if (!isset($metaData['action']) \|\| $metaData['action'] === $action) {`
			`$this->throttler->registerAttempt($action, $ip, $metaData);`
feat: Add a header which signals that the request was throttled Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-08-14 13:16:31 -04:00			`$this->delaySlept += $this->throttler->sleepDelayOrThrowOnMax($ip, $action);`
fix(middleware): Also abort the request when reaching max delay in afterController Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-05-11 03:17:30 -04:00			`}`
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-02-28 16:26:22 -05:00			`}`
fix(middleware): Also abort the request when reaching max delay in afterController Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-05-11 03:17:30 -04:00			`} else {`
			`$this->logger->debug('Response for ' . get_class($controller) . '::' . $methodName . ' got bruteforce throttled but has no annotation nor attribute defined.');`
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-02-28 16:26:22 -05:00			`}`
			`}`
fix(middleware): Also abort the request when reaching max delay in afterController Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-05-11 03:17:30 -04:00			`} catch (MaxDelayReached $e) {`
			`if ($controller instanceof OCSController) {`
			`throw new OCSException($e->getMessage(), Http::STATUS_TOO_MANY_REQUESTS);`
			`}`

			`return new TooManyRequestsResponse();`
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-02-28 16:26:22 -05:00			`}`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`}`

feat: Add a header which signals that the request was throttled Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-08-14 13:16:31 -04:00			`if ($this->delaySlept) {`
fix(middleware): Fix header injection for bruteforce middleware Calling setHeaders(getHeaders()) breaks the CSP nonce for unknown reasons So shifting back to old standard practise for now Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-08-22 10:00:39 -04:00			`$response->addHeader('X-Nextcloud-Bruteforce-Throttled', $this->delaySlept . 'ms');`
feat: Add a header which signals that the request was throttled Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-08-14 13:16:31 -04:00			`}`

Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`return parent::afterController($controller, $methodName, $response);`
			`}`
Send "429 Too Many Requests" in case of brute force protection Signed-off-by: Joas Schilling <coding@schilljs.com> 2020-03-19 07:09:57 -04:00
			`/**`
			`* @param Controller $controller`
			`* @param string $methodName`
			`* @param \Exception $exception`
			`* @throws \Exception`
			`* @return Response`
			`*/`
			`public function afterException($controller, $methodName, \Exception $exception): Response {`
			`if ($exception instanceof MaxDelayReached) {`
			`if ($controller instanceof OCSController) {`
			`throw new OCSException($exception->getMessage(), Http::STATUS_TOO_MANY_REQUESTS);`
			`}`

			`return new TooManyRequestsResponse();`
			`}`

			`throw $exception;`
			`}`
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-04-13 16:50:44 -04:00			`}`