Skip to content

Commit

Permalink
fix(frontpage): Don't bruteforce protect "undefined"
Browse files Browse the repository at this point in the history
It's a misbehaving bug in the frontend but we are yet unsure how it occurres

Signed-off-by: Joas Schilling <coding@schilljs.com>
  • Loading branch information
nickvergessen committed Apr 9, 2024
1 parent fd09f89 commit 2dfddf9
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 2 deletions.
13 changes: 11 additions & 2 deletions lib/Controller/PageController.php
Original file line number Diff line number Diff line change
Expand Up @@ -205,8 +205,11 @@ protected function pageHandler(string $token = '', string $callUser = '', string
}
} catch (RoomNotFoundException $e) {
// Room not found, redirect to main page
$throttle = $token !== 'undefined';
if ($token === 'undefined') {
$this->logger->debug('User "' . ($this->userId ?? 'ANONYMOUS') . '" tried to access "undefined"', ['app' => 'spreed-bfp']);
}
$token = '';
$throttle = true;
}

if ($room instanceof Room && $room->hasPassword()) {
Expand Down Expand Up @@ -361,7 +364,13 @@ protected function guestEnterRoom(string $token, string $password): Response {
$response = new RedirectResponse($this->url->linkToRoute('core.login.showLoginForm', [
'redirect_url' => $redirectUrl,
]));
$response->throttle(['token' => $token, 'action' => 'talkRoomToken']);
if ($token !== 'undefined') {
// Logged-in user tried to access a chat they can not access
$this->logger->debug('User "' . ($this->userId ?? 'ANONYMOUS') . '" throttled for accessing "' . $token . '"', ['app' => 'spreed-bfp']);
$response->throttle(['token' => $token, 'action' => 'talkRoomToken']);
} else {
$this->logger->debug('User "' . ($this->userId ?? 'ANONYMOUS') . '" tried to access "undefined"', ['app' => 'spreed-bfp']);
}
return $response;
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,12 @@ Feature: conversation/bruteforce-protection
When user "participant2" views call-URL of room "invalid" with 200
When user "participant2" views call-URL of room "invalid" with 200
When user "participant2" views call-URL of room "invalid" with 200
When user "participant2" views call-URL of room "undefined" with 200
When user "participant2" views call-URL of room "undefined" with 200
When user "participant2" views call-URL of room "undefined" with 200
When user "participant2" views call-URL of room "undefined" with 200
When user "participant2" views call-URL of room "undefined" with 200
When user "participant2" views call-URL of room "undefined" with 200
When user "participant2" views call-URL of room "invalid" with 200
When user "participant2" views call-URL of room "invalid" with 200
When user "participant2" views call-URL of room "invalid" with 200
Expand Down

0 comments on commit 2dfddf9

Please sign in to comment.