diff --git a/lib/Controller/PageController.php b/lib/Controller/PageController.php index 6585efcbae2..d0985fb6e2e 100644 --- a/lib/Controller/PageController.php +++ b/lib/Controller/PageController.php @@ -184,6 +184,7 @@ public function duplicateSession(): Response { * @throws HintException */ public function index(string $token = '', string $callUser = '', string $password = ''): Response { + $bruteForceToken = $token; $user = $this->userSession->getUser(); if (!$user instanceof IUser) { return $this->guestEnterRoom($token, $password); @@ -296,7 +297,7 @@ public function index(string $token = '', string $callUser = '', string $passwor $response->setContentSecurityPolicy($csp); if ($throttle) { // Logged-in user tried to access a chat they can not access - $response->throttle(); + $response->throttle(['token' => $bruteForceToken]); } return $response; } @@ -321,7 +322,7 @@ protected function guestEnterRoom(string $token, string $password): Response { $response = new RedirectResponse($this->url->linkToRoute('core.login.showLoginForm', [ 'redirect_url' => $redirectUrl, ])); - $response->throttle(); + $response->throttle(['token' => $token]); return $response; } diff --git a/lib/Controller/RoomController.php b/lib/Controller/RoomController.php index 0e44e69a4f3..ed6bd6f85b4 100644 --- a/lib/Controller/RoomController.php +++ b/lib/Controller/RoomController.php @@ -324,7 +324,7 @@ public function getSingleRoom(string $token): DataResponse { return new DataResponse($this->formatRoom($room, $participant, [], $isSIPBridgeRequest), Http::STATUS_OK, $this->getTalkHashHeader()); } catch (RoomNotFoundException $e) { $response = new DataResponse([], Http::STATUS_NOT_FOUND); - $response->throttle(); + $response->throttle(['token' => $token]); return $response; } } @@ -1233,6 +1233,7 @@ public function joinRoom(string $token, string $password = '', bool $force = tru } else { $participant = $this->participantService->joinRoomAsNewGuest($this->roomService, $room, $password, $result['result'], $previousParticipant); } + $this->throttler->resetDelay($this->request->getRemoteAddress(), 'talkRoomToken', ['token' => $token]); } catch (InvalidPasswordException $e) { $response = new DataResponse([], Http::STATUS_FORBIDDEN); $response->throttle(['token' => $token]); diff --git a/lib/Middleware/InjectionMiddleware.php b/lib/Middleware/InjectionMiddleware.php index de511071087..f5f0b2ad880 100644 --- a/lib/Middleware/InjectionMiddleware.php +++ b/lib/Middleware/InjectionMiddleware.php @@ -266,7 +266,9 @@ public function afterException($controller, $methodName, \Exception $exception): $ip = $this->request->getRemoteAddress(); $action = 'talkRoomToken'; $this->throttler->sleepDelay($ip, $action); - $this->throttler->registerAttempt($action, $ip); + $this->throttler->registerAttempt($action, $ip, [ + 'token' => $this->request->getParam('token') ?? '', + ]); } throw new OCSException('', Http::STATUS_NOT_FOUND); }