From 1c2c1a76fa258fc61dd9b1b1afe02bbeedd0509e Mon Sep 17 00:00:00 2001
From: Yasen Pramatarov <yasen@lindeas.com>
Date: Mon, 14 Apr 2025 19:36:07 +0300
Subject: [PATCH] Fixes bugs in login ratelimiting

---
 app/classes/ratelimiter.php | 4 ++--
 app/classes/user.php        | 3 ---
 app/pages/login.php         | 3 ---
 3 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/app/classes/ratelimiter.php b/app/classes/ratelimiter.php
index 504fdee..50a03db 100644
--- a/app/classes/ratelimiter.php
+++ b/app/classes/ratelimiter.php
@@ -115,7 +115,7 @@ class RateLimiter {
      * Get number of recent login attempts for an IP
      */
     public function getRecentAttempts($ip) {
-        $stmt = $this->db->prepare("SELECT COUNT(*) as attempts FROM {$this->authRatelimitTable} 
+        $stmt = $this->db->prepare("SELECT COUNT(*) as attempts FROM {$this->authRatelimitTable}
             WHERE ip_address = ? AND attempted_at > datetime('now', '-' || :minutes || ' minutes')");
         $stmt->execute([$ip, $this->decayMinutes]);
         $result = $stmt->fetch(PDO::FETCH_ASSOC);
@@ -574,7 +574,7 @@ class RateLimiter {
      * Clean old page requests
      */
     private function cleanOldPageRequests() {
-        $sql = "DELETE FROM {$this->pagesRatelimitTable} 
+        $sql = "DELETE FROM {$this->pagesRatelimitTable}
                 WHERE request_time < DATETIME('now', '-1 minute')";
 
         $stmt = $this->db->prepare($sql);
diff --git a/app/classes/user.php b/app/classes/user.php
index 71d329a..6082737 100644
--- a/app/classes/user.php
+++ b/app/classes/user.php
@@ -104,9 +104,6 @@ class User {
         require_once __DIR__ . '/../helpers/logs.php';
         $ipAddress = getUserIP();
 
-        // Record attempt
-        $this->rateLimiter->attempt($username, $ipAddress);
-
         // Check rate limiting first
         if (!$this->rateLimiter->isAllowed($username, $ipAddress)) {
             $remainingTime = $this->rateLimiter->getDecayMinutes();
diff --git a/app/pages/login.php b/app/pages/login.php
index 0c536bd..f854abe 100644
--- a/app/pages/login.php
+++ b/app/pages/login.php
@@ -224,9 +224,6 @@ try {
                 if ($rateLimiter->tooManyAttempts($username, $user_IP)) {
                     throw new Exception(Feedback::get('LOGIN', 'TOO_MANY_ATTEMPTS')['message']);
                 }
-
-                // Record this attempt before trying to login
-                $rateLimiter->attempt($username, $user_IP, false);
             }
 
             // Attempt login