Adds rate limiting to the login page

Adds rate limiting to the user class
Adds rate limiter class
2024-12-07 15:38:13 +02:00 · 2024-12-07 15:32:28 +02:00 · 2024-12-06 15:25:15 +02:00
3 changed files with 156 additions and 43 deletions
--- a/app/classes/ratelimitrer.php
+++ b/app/classes/ratelimitrer.php
@ -0,0 +1,91 @@
+<?php
+
+class RateLimiter {
+    private $db;
+    private $maxAttempts = 5;        // Maximum login attempts
+    private $decayMinutes = 15;      // Time window in minutes
+    private $tableName = 'login_attempts';
+
+    public function __construct($database) {
+        $this->db = $database->getConnection();
+        $this->createTableIfNotExists();
+    }
+
+    private function createTableIfNotExists() {
+        $sql = "CREATE TABLE IF NOT EXISTS {$this->tableName} (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            ip_address VARCHAR(45) NOT NULL,
+            username VARCHAR(255) NOT NULL,
+            attempted_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+            INDEX idx_ip_username (ip_address, username)
+        )";
+
+        $this->db->exec($sql);
+    }
+
+    public function attempt($username, $ipAddress) {
+        // Clean old attempts
+        $this->clearOldAttempts();
+
+        // Record this attempt
+        $sql = "INSERT INTO {$this->tableName} (ip_address, username) VALUES (:ip, :username)";
+        $stmt = $this->db->prepare($sql);
+        $stmt->execute([
+            ':ip'		=> $ipAddress,
+            ':username'		=> $username
+        ]);
+
+        // Check if too many attempts
+        return !$this->tooManyAttempts($username, $ipAddress);
+    }
+
+    public function tooManyAttempts($username, $ipAddress) {
+        $sql = "SELECT COUNT(*) as attempts 
+                FROM {$this->tableName} 
+                WHERE ip_address = :ip 
+                AND username = :username 
+                AND attempted_at > datetime('now', '-' || :minutes || ' minutes')";
+
+        $stmt = $this->db->prepare($sql);
+        $stmt->execute([
+            ':ip'		=> $ipAddress,
+            ':username'		=> $username,
+            ':minutes'		=> $this->decayMinutes
+        ]);
+
+        $result = $stmt->fetch(PDO::FETCH_ASSOC);
+        return $result['attempts'] >= $this->maxAttempts;
+    }
+
+    public function clearOldAttempts() {
+        $sql = "DELETE FROM {$this->tableName} 
+                WHERE attempted_at < datetime('now', '-' || :minutes || ' minutes')";
+
+        $stmt = $this->db->prepare($sql);
+        $stmt->execute([
+            ':minutes'		=> $this->decayMinutes
+        ]);
+    }
+
+    public function getRemainingAttempts($username, $ipAddress) {
+        $sql = "SELECT COUNT(*) as attempts 
+                FROM {$this->tableName} 
+                WHERE ip_address = :ip 
+                AND username = :username 
+                AND attempted_at > datetime('now', '-' || :minutes || ' minutes')";
+
+        $stmt = $this->db->prepare($sql);
+        $stmt->execute([
+            ':ip'		=> $ipAddress,
+            ':username'		=> $username,
+            ':minutes'		=> $this->decayMinutes
+        ]);
+
+        $result = $stmt->fetch(PDO::FETCH_ASSOC);
+        return max(0, $this->maxAttempts - $result['attempts']);
+    }
+
+    public function getDecayMinutes() {
+        return $this->decayMinutes;
+    }
+}
--- a/app/classes/user.php
+++ b/app/classes/user.php
@ -10,6 +10,7 @@ class User {
     * @var PDO|null $db The database connection instance.
     */
    private $db;
+    private $ratelimiter;

    /**
     * User constructor.
@ -19,6 +20,7 @@ class User {
     */
    public function __construct($database) {
        $this->db = $database->getConnection();
+        $this->ratelimiter = new RateLimiter($database);
    }


@ -88,17 +90,33 @@ class User {
     * @return bool True if login is successful, false otherwise.
     */
    public function login($username, $password) {
-        $query = $this->db->prepare("SELECT * FROM  users WHERE username = :username");
+        // get client IP address
+        $ipAddress = $_SERVER['REMOTE_ADDR'] ?? '0.0.0.0';
+
+        // check rate limiting
+        if (!$this->rateLimiter->attempt($username, $ipAddress)) {
+            $remainingTime = $this->rateLimiter->getDecayMinutes();
+            throw new Exception("Too many login attempts. Please try again in {$remainingTime} minutes.");
+        }
+
+        $query = $this->db->prepare("SELECT * FROM users WHERE username = :username");
        $query->bindParam(':username', $username);
        $query->execute();

        $user = $query->fetch(PDO::FETCH_ASSOC);
-        if ( $user && password_verify($password, $user['password'])) {
+        if ($user && password_verify($password, $user['password'])) {
            $_SESSION['user_id'] = $user['id'];
            $_SESSION['username'] = $user['username'];
            return true;
+        }
+
+        // Login failed, return remaining attempts info
+        $remainingAttempts = $this->rateLimiter->getRemainingAttempts($username, $ipAddress);
+        if ($remainingAttempts > 0) {
+            throw new Exception("Invalid credentials. {$remainingAttempts} attempts remaining.");
        } else {
-            return false;
+            $remainingTime = $this->rateLimiter->getDecayMinutes();
+            throw new Exception("Too many login attempts. Please try again in {$remainingTime} minutes.");
        }
    }

--- a/app/pages/login.php
+++ b/app/pages/login.php
@ -22,49 +22,53 @@ try {
    $dbWeb = connectDB($config);

    if ( $_SERVER['REQUEST_METHOD'] == 'POST' ) {
-        $username = $_POST['username'];
-        $password = $_POST['password'];
+        try {
+            $username = $_POST['username'];
+            $password = $_POST['password'];

-        // login successful
-        if ( $userObject->login($username, $password) ) {
-            // if remember_me is checked, max out the session
-            if (isset($_POST['remember_me'])) {
-                // 30*24*60*60 = 30 days
-                $cookie_lifetime = 30 * 24 * 60 * 60;
-                $setcookie_lifetime = time() + 30 * 24 * 60 * 60;
-                $gc_maxlifetime = 30 * 24 * 60 * 60;
+            // login successful
+            if ( $userObject->login($username, $password) ) {
+                // if remember_me is checked, max out the session
+                if (isset($_POST['remember_me'])) {
+                    // 30*24*60*60 = 30 days
+                    $cookie_lifetime = 30 * 24 * 60 * 60;
+                    $setcookie_lifetime = time() + 30 * 24 * 60 * 60;
+                    $gc_maxlifetime = 30 * 24 * 60 * 60;
+                } else {
+                    // 0 - session end on browser close
+                    // 1440 - 24 minutes (default)
+                    $cookie_lifetime = 0;
+                    $setcookie_lifetime = 0;
+                    $gc_maxlifetime = 1440;
+                }
+
+                // set session lifetime and cookies
+                setcookie('username', $username, [
+                    'expires'	=> $setcookie_lifetime,
+                    'path'		=> $config['folder'],
+                    'domain'	=> $config['domain'],
+                    'secure'	=> isset($_SERVER['HTTPS']),
+                    'httponly'	=> true,
+                    'samesite'	=> 'Strict'
+                ]);
+
+                // redirect to index
+                $_SESSION['notice'] = "Login successful";
+                $user_id = $userObject->getUserId($username)[0]['id'];
+                $logObject->insertLog($user_id, "Login: User \"$username\" logged in. IP: $user_IP", 'user');
+                header('Location: ' . htmlspecialchars($app_root));
+                exit();
+
+            // login failed
            } else {
-                // 0 - session end on browser close
-                // 1440 - 24 minutes (default)
-                $cookie_lifetime = 0;
-                $setcookie_lifetime = 0;
-                $gc_maxlifetime = 1440;
+                $_SESSION['error'] = "Login failed.";
+                $user_id = $userObject->getUserId($username)[0]['id'];
+                $logObject->insertLog($user_id, "Login: Failed login attempt for user \"$username\". IP: $user_IP", 'user');
+                header('Location: ' . htmlspecialchars($app_root));
+                exit();
            }
-
-            // set session lifetime and cookies
-            setcookie('username', $username, [
-                'expires'	=> $setcookie_lifetime,
-                'path'		=> $config['folder'],
-                'domain'	=> $config['domain'],
-                'secure'	=> isset($_SERVER['HTTPS']),
-                'httponly'	=> true,
-                'samesite'	=> 'Strict'
-            ]);
-
-            // redirect to index
-            $_SESSION['notice'] = "Login successful";
-            $user_id = $userObject->getUserId($username)[0]['id'];
-            $logObject->insertLog($user_id, "Login: User \"$username\" logged in. IP: $user_IP", 'user');
-            header('Location: ' . htmlspecialchars($app_root));
-            exit();
-
-        // login failed
-        } else {
-            $_SESSION['error'] = "Login failed.";
-            $user_id = $userObject->getUserId($username)[0]['id'];
-            $logObject->insertLog($user_id, "Login: Failed login attempt for user \"$username\". IP: $user_IP", 'user');
-            header('Location: ' . htmlspecialchars($app_root));
-            exit();
+        } catch (Exception $e) {
+            $error = $e->getMessage();
        }
    }
 } catch (Exception $e) {
Author	SHA1	Message	Date
Yasen Pramatarov	f549940249	Adds rate limiting to the login page	2024-12-07 15:38:13 +02:00
Yasen Pramatarov	fee0616ca4	Adds rate limiting to the user class	2024-12-07 15:32:28 +02:00
Yasen Pramatarov	626fc4ba2b	Adds rate limiter class	2024-12-06 15:25:15 +02:00