Merge pull request #38280 from nextcloud/backport/38274/stable21

nickvergessen · web-flow · commit 159676f04467 · 2023-05-16T11:34:22.000+02:00
[stable21] fix(middleware): Also abort the request when reaching max delay in af…
diff --git a/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php b/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php
@@ -87,8 +87,16 @@ public function afterController($controller, $methodName, Response $response) {
 		if ($this->reflector->hasAnnotation('BruteForceProtection') && $response->isThrottled()) {
 			$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');
 			$ip = $this->request->getRemoteAddress();
-			$this->throttler->sleepDelay($ip, $action);
 			$this->throttler->registerAttempt($action, $ip, $response->getThrottleMetadata());
+			try {
+				$this->throttler->sleepDelayOrThrowOnMax($ip, $action);
+			} catch (MaxDelayReached $e) {
+				if ($controller instanceof OCSController) {
+					throw new OCSException($e->getMessage(), Http::STATUS_TOO_MANY_REQUESTS);
+				}
+
+				return new TooManyRequestsResponse();
+			}
 		}
 
 		return parent::afterController($controller, $methodName, $response);
diff --git a/tests/lib/AppFramework/Middleware/Security/BruteForceMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/BruteForceMiddlewareTest.php
@@ -126,7 +126,7 @@ public function testAfterControllerWithAnnotationAndThrottledRequest() {
 			->willReturn('127.0.0.1');
 		$this->throttler
 			->expects($this->once())
-			->method('sleepDelay')
+			->method('sleepDelayOrThrowOnMax')
 			->with('127.0.0.1', 'login');
 		$this->throttler
 			->expects($this->once())
@@ -158,7 +158,7 @@ public function testAfterControllerWithAnnotationAndNotThrottledRequest() {
 			->method('getRemoteAddress');
 		$this->throttler
 			->expects($this->never())
-			->method('sleepDelay');
+			->method('sleepDelayOrThrowOnMax');
 		$this->throttler
 			->expects($this->never())
 			->method('registerAttempt');
@@ -182,7 +182,7 @@ public function testAfterControllerWithoutAnnotation() {
 			->method('getRemoteAddress');
 		$this->throttler
 			->expects($this->never())
-			->method('sleepDelay');
+			->method('sleepDelayOrThrowOnMax');
 
 		/** @var Controller|\PHPUnit\Framework\MockObject\MockObject $controller */
 		$controller = $this->createMock(Controller::class);
