feat(Login): Add Support for max login ip test to avoid floor attack

apps/controllers/AuthController.php

@@ -58,25 +58,33 @@ public function actionRecover()
 
     public function actionLogin()
     {
+        $test_attempts = app()->redis->hGet('SITE:fail_login_ip_count', app()->request->getClientIp()) ?: 0;
+        $left_attempts = app()->config->get('security.max_login_attempts') - $test_attempts;
+
         if (app()->request->isPost()) {
             $login = new UserLoginForm();
             $login->importAttributes(app()->request->post());
             $error = $login->validate();
 
             if (count($error) > 0) {
-                return $this->render("auth/login.html.twig", ["username" => $login->username, "error_msg" => $error->get(0)]);
+                $login->LoginFail();
+                return $this->render("auth/login.html.twig", [
+                    "username" => $login->username,
+                    "error_msg" => $error->get(0),
+                    'left_attempts' => $left_attempts
+                ]);
             } else {
                 $success = $login->createUserSession();
                 if ($success) {
                     $login->updateUserLoginInfo();
                     $return_to = app()->session->pop('login_return_to') ?? '/index';
                     return app()->response->redirect($return_to);
                 } else {
-                    return $this->render('errors/action_fail.html.twig',['title'=> 'Login Failed','msg' => 'Reach the limit of Max User Session.']);
+                    return $this->render('errors/action_fail.html.twig', ['title' => 'Login Failed', 'msg' => 'Reach the limit of Max User Session.']);
                 }
             }
         } else {
-            return $this->render("auth/login.html.twig");
+            return $this->render("auth/login.html.twig", ['left_attempts' => $left_attempts]);
         }
     }
 

apps/middleware/BeforeMiddleware.php

@@ -16,6 +16,11 @@ public function handle($callable, \Closure $next)
         if ($controllerName === \apps\controllers\AuthController::class) {
             if (!$isAnonymousUser && in_array($action, ["actionLogin", "actionRegister"])) {
                 return app()->response->redirect("/index");
+            } elseif ($action == 'actionLogin') {
+                $test_count = app()->redis->hGet('SITE:fail_login_ip_count', app()->request->getClientIp()) ?: 0;
+                if ($test_count > app()->config->get('security.max_login_attempts')) {
+                    return app()->response->setStatusCode(403);
+                }
             } elseif ($action !== "actionLogout") {
                 return $next();
             }

apps/models/form/UserLoginForm.php

@@ -113,11 +113,18 @@ public function loadUserFromPdo(ExecutionContextInterface $context)
         }
     }
 
-    public function isMaxLoginIpReached()
+    public function isMaxLoginIpReached(ExecutionContextInterface $context)
     {
-        // TODO Check User Fail Login Ip Count
+        $test_count = app()->redis->hGet('SITE:fail_login_ip_count', app()->request->getClientIp()) ?: 0;
+        if ($test_count > app()->config->get('security.max_login_attempts')) {
+            $context->buildViolation("User Max Login Attempts Archived.")->addViolation();
+        }
     }
 
+    public function LoginFail() {
+        app()->redis->zAdd('SITE:fail_login_ip_zset', time(), app()->request->getClientIp());
+        app()->redis->hIncrBy('SITE:fail_login_ip_count', app()->request->getClientIp(), 1);
+    }
 
     public function createUserSession()
     {

apps/views/auth/login.html.twig

@@ -8,41 +8,25 @@
 
         <div class="row">
             <div class="form-group col-md-4">
+                {% if left_attempts < 3 %}
+                    <div class="form-group">
+                        <p class="bg-danger">Left Login attempts: <strong class="text-center">{{ left_attempts }}</strong></p>
+                    </div>
+                {% endif %}
                 <div class="form-group">
                     <label class="control-label" for="username">Username or email address</label>
                     <input autofocus="" class="form-control" id="username" name="username" placeholder="Username" tabindex="1" title="" type="text" value="{{ username }}">
                 </div>
-
-            </div>
-        </div>
-
-        <div class="row">
-            <div class="form-group col-md-4">
                 <div class="form-group">
                     <label class="control-label" for="password">Password</label>
-
-                    <small>
-                        <a href="/auth/recover">Forgot your password?</a>
-                    </small>
-
+                    <small><a href="/auth/recover">Forgot your password?</a></small>
                     <input class="form-control" id="password" name="password" tabindex="2" title="" type="password" value="">
                 </div>
-            </div>
-        </div>
-
-        <div class="row">
-            <div class="form-group col-md-4">
                 <div class="form-group">
                     <label class="control-label" for="opt">2FA Code</label>
                     <input autofocus="" class="form-control" id="opt" name="opt" placeholder="Google Authenticator key" tabindex="3" title="" type="text" value="" maxlength="6">
                     <small>Your Google 2FA code,And Left blank If you don't set.</small>
                 </div>
-
-            </div>
-        </div>
-
-        <div class="row">
-            <div class="form-group col-md-4">
                 <div class="form-group">
                     <label class="control-label" for="captcha">Captcha</label>
                     <div class="row">
@@ -53,24 +37,13 @@
                     </div>
                     <small>Not case sensitive.</small>
                 </div>
-            </div>
-        </div>
-
-        {% if error_msg %}
-            <div class="row">
-                <div class="form-group col-md-4">
+                {% if error_msg %}
                     <div class="form-group">
                         <p class="bg-danger">Login failed: <strong class="text-center">{{ error_msg }}</strong></p>
                     </div>
-                </div>
-            </div>
-        {% endif %}
-
-        <div class="row">
-            <div class="col-md-4">
+                {% endif %}
                 <input type="submit" value="Login" class="btn btn-primary" tabindex="4">
             </div>
         </div>
-
     </form>
 {% endblock %}

framework/Redis/BaseRedisConnection.php

@@ -152,7 +152,7 @@
  * @method int zInter($Output, $ZSetKeys, array $Weights = null, $aggregateFunction = 'SUM')
  * @method int|bool hSet($key, $hashKey, $value)
  * @method bool hSetNx($key, $hashKey, $value)
- * @method string hGet($key, $hashKey)
+ * @method string|bool hGet($key, $hashKey)
  * @method int hLen($key)
  * @method int|bool hDel($key, $hashKey1, $hashKey2 = null, $hashKeyN = null)
  * @method array hKeys($key)

migration/ridpt.sql

@@ -3,7 +3,7 @@
 -- https://www.phpmyadmin.net/
 --
 -- Host: 127.0.0.1
--- Generation Time: Jan 31, 2019 at 11:42 AM
+-- Generation Time: Feb 01, 2019 at 08:34 AM
 -- Server version: 5.7.24-log
 -- PHP Version: 7.2.14
 
@@ -370,6 +370,7 @@ INSERT INTO `site_config` (`name`, `value`, `update_at`) VALUES
 ('register.user_default_status', 'pending', '2018-12-05 13:56:19'),
 ('register.user_default_uploaded', '0', '2018-12-05 13:56:19'),
 ('register.user_default_uploadpos', '1', '2018-12-05 13:56:19'),
+('security.max_login_attempts', '10', '2019-02-01 08:06:51'),
 ('torrent.max_file_size', '3145728', '2018-12-13 02:04:45'),
 ('torrent.max_nfo_size', '65535', '2018-12-13 02:04:45'),
 ('tracker.cheater_check', '1', '2018-11-27 10:28:13'),