[geeklog-cvs] Geeklog-1.x/system lib-webservices.php,1.27,1.28
Dirk Haun
dhaun at qs1489.pair.com
Thu Jan 3 09:04:44 EST 2008
Update of /cvsroot/geeklog/Geeklog-1.x/system
In directory qs1489.pair.com:/tmp/cvs-serv95043/system
Modified Files:
lib-webservices.php
Log Message:
We now require login / authentication for every Atompub activity. Requires a somewhat creative solution for the login speedlimit (see WS_authenticate).
Index: lib-webservices.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/system/lib-webservices.php,v
retrieving revision 1.27
retrieving revision 1.28
diff -C2 -d -r1.27 -r1.28
*** lib-webservices.php 2 Jan 2008 19:39:00 -0000 1.27
--- lib-webservices.php 3 Jan 2008 14:04:42 -0000 1.28
***************
*** 690,693 ****
--- 690,710 ----
/**
* Authenticates the user if authentication headers are present
+ *
+ * Our handling of the speedlimit here requires some explanation ...
+ * Atompub clients will usually try to do everything without logging in first.
+ * Since that would mean that we can't provide feeds for drafts, items with
+ * special permissions, etc. we ask them to log in (PLG_RET_AUTH_FAILED).
+ * That, however, means that every request from an Atompub client will count
+ * as one failed login attempt. So doing a couple of requests in quick
+ * succession will surely get the client blocked. Therefore
+ * - a request without any login credentials counts as one failed login attempt
+ * - a request with wrong login credentials counts as two failed login attempts
+ * - if, after a successful login, we have only one failed attempt on record,
+ * we reset the speedlimit
+ * This still ensures that
+ * - repeated failed logins (without or with invalid credentials) will cause the
+ * client to be blocked eventually
+ * - this can not be used for dictionary attacks
+ *
*/
function WS_authenticate()
***************
*** 710,715 ****
} elseif (!empty($_SERVER['REMOTE_USER'])) {
/* PHP installed as CGI may not have access to authorization headers of
! * Apache. In that case, use .htaccess to store the auth header as explained
! * at http://wiki.geeklog.net/wiki/index.php/Webservices_API#Authentication
*/
--- 727,733 ----
} elseif (!empty($_SERVER['REMOTE_USER'])) {
/* PHP installed as CGI may not have access to authorization headers of
! * Apache. In that case, use .htaccess to store the auth header as
! * explained at
! * http://wiki.geeklog.net/wiki/index.php/Webservices_API#Authentication
*/
***************
*** 725,729 ****
}
! return;
}
--- 743,747 ----
}
! // fallthrough (see below)
}
***************
*** 733,737 ****
}
! $status = SEC_authenticate($username, $password, $uid);
if ($status == USER_ACCOUNT_ACTIVE) {
--- 751,757 ----
}
! if (!empty($username) && !empty($password)) {
! $status = SEC_authenticate($username, $password, $uid);
! }
if ($status == USER_ACCOUNT_ACTIVE) {
***************
*** 742,747 ****
--- 762,784 ----
COM_errorLog("WS: User '{$_USER['username']}' ({$_USER['uid']}) successfully logged in");
}
+
+ // if there were less than 2 failed login attempts, reset speedlimit
+ if (COM_checkSpeedlimit('login', 2) == 0) {
+ if ($WS_VERBOSE) {
+ COM_errorLog("WS: Successful login - resetting speedlimit");
+ }
+ COM_resetSpeedlimit('login');
+ }
} else {
COM_updateSpeedlimit('login');
+ if (!empty($username) && !empty($password)) {
+ COM_updateSpeedlimit('login');
+
+ if ($WS_VERBOSE) {
+ COM_errorLog("WS: Wrong login credentials - counting as 2 failed attempts");
+ }
+ } elseif ($WS_VERBOSE) {
+ COM_errorLog("WS: Empty login credentials - counting as 1 failed attempt");
+ }
WS_error(PLG_RET_AUTH_FAILED);
}
More information about the geeklog-cvs
mailing list