Protect REST login controller from brute force attacks too.

And make the REST auth token less predictable by using a better source for randomness.
This commit is contained in:
Andy Staudacher
2010-01-30 21:42:57 -08:00
parent cb92e58d40
commit 1470b99d1f
3 changed files with 17 additions and 5 deletions

View File

@@ -22,11 +22,18 @@ class Rest_Controller extends Controller {
$username = Input::instance()->post("user");
$password = Input::instance()->post("password");
$user = identity::lookup_user_by_name($username);
if (empty($user) || !identity::is_correct_password($user, $password)) {
if (empty($username) || !auth::validate_too_many_failed_logins($username)) {
throw new Rest_Exception("Forbidden", 403);
}
$user = identity::lookup_user_by_name($username);
if (empty($user) || !identity::is_correct_password($user, $password)) {
module::event("user_login_failed", $username);
throw new Rest_Exception("Forbidden", 403);
}
auth::login($user);
$key = rest::get_access_token($user->id);
rest::reply($key->access_key);
}