Rate-limit login attempts

2026-02-04 03:35:09 -05:00 · 2009-05-19 13:55:58 -07:00
parent 87382213b1
commit 782238652b
2 changed files with 22 additions and 6 deletions
--- a/r2/r2/controllers/api.py
+++ b/r2/r2/controllers/api.py
@@ -265,14 +265,18 @@ class ApiController(RedditController):
        form.redirect(dest)


-    @validatedForm(user = VLogin(['user', 'passwd']),
+    @validatedForm(VRatelimit(rate_ip = True, prefix = 'login_',
+                              error = errors.WRONG_PASSWORD),
+                   user = VLogin(['user', 'passwd']),
                   dest   = nop('dest'),
                   rem    = VBoolean('rem'),
                   reason = VReason('reason'))
    def POST_login(self, form, jquery, user, dest, rem, reason):
        if reason and reason[0] == 'redirect':
            dest = reason[1]
-        if not form.has_errors("passwd", errors.WRONG_PASSWORD):
+        if form.has_errors("passwd", errors.WRONG_PASSWORD):
+            VRatelimit.ratelimit(rate_ip = True, prefix = 'login_', seconds=1)
+        else:
            self._login(form, user, dest, rem)


--- a/r2/r2/controllers/validator/validator.py
+++ b/r2/r2/controllers/validator/validator.py
@@ -670,10 +670,11 @@ class VMenu(Validator):

 class VRatelimit(Validator):
    def __init__(self, rate_user = False, rate_ip = False,
-                 prefix = 'rate_', *a, **kw):
+                 prefix = 'rate_', error = errors.RATELIMIT, *a, **kw):
        self.rate_user = rate_user
        self.rate_ip = rate_ip
        self.prefix = prefix
+        self.error = error
        Validator.__init__(self, *a, **kw)

    def run (self):
@@ -687,12 +688,23 @@ class VRatelimit(Validator):
        if r:
            expire_time = max(r.values())
            time = utils.timeuntil(expire_time)
-            self.set_error(errors.RATELIMIT, {'time': time})
+
+            print "rate-limiting %s from %s" % (self.prefix, r.keys())
+
+            # when errors have associated field parameters, we'll need
+            # to add that here
+            if self.error == errors.RATELIMIT:
+                self.set_error(errors.RATELIMIT, {'time': time})
+            else:
+                self.set_error(self.error)
+                

    @classmethod
-    def ratelimit(self, rate_user = False, rate_ip = False, prefix = "rate_"):
+    def ratelimit(self, rate_user = False, rate_ip = False, prefix = "rate_",
+                  seconds = None):
        to_set = {}
-        seconds = g.RATELIMIT*60
+        if seconds is None:
+            seconds = g.RATELIMIT*60
        expire_time = datetime.now(g.tz) + timedelta(seconds = seconds)
        if rate_user and c.user_is_loggedin:
            to_set['user' + str(c.user._id36)] = expire_time