Protect REST login controller from brute force attacks too.

And make the REST auth token less predictable by using a better source for randomness.

modules/gallery/helpers/auth.php

@@ -64,14 +64,19 @@ static function logout() {
    * minute.
    */
   static function validate_too_many_failed_logins($name_input) {
+    $name = is_object($name_input) ? $name_input->value : $name_input;
     $failed_login = ORM::factory("failed_login")
-      ->where("name", "=", $name_input->value)
+      ->where("name", "=", $name)
       ->find();
     if ($failed_login->loaded() &&
         $failed_login->count > 5 &&
         (time() - $failed_login->time < 60)) {
-      $name_input->add_error("too_many_failed_logins", 1);
+      if (is_object($name_input)) {
+        $name_input->add_error("too_many_failed_logins", 1);
+      }
+      return false;
     }
+    return true;
   }
 
   /**

modules/rest/controllers/rest.php

@@ -22,11 +22,18 @@ public function index() {
     $username = Input::instance()->post("user");
     $password = Input::instance()->post("password");
 
+    if (empty($username) || !auth::validate_too_many_failed_logins($username)) {
+      throw new Rest_Exception("Forbidden", 403);
+    }
+
     $user = identity::lookup_user_by_name($username);
     if (empty($user) || !identity::is_correct_password($user, $password)) {
+      module::event("user_login_failed", $username);
       throw new Rest_Exception("Forbidden", 403);
     }
 
+    auth::login($user);
+
     $key = rest::get_access_token($user->id);
     rest::reply($key->access_key);
  }

modules/rest/helpers/rest.php

@@ -64,7 +64,7 @@ static function get_access_token($user_id) {
 
     if (!$key->loaded()) {
       $key->user_id = $user_id;
-      $key->access_key = md5(rand());
+      $key->access_key = md5(md5(uniqid(mt_rand(), true) . access::private_key()));
       $key->save();
     }
     return $key;