From 2dfddf9599bcf6a7a8f25c450c52d5899847f53f Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Tue, 9 Apr 2024 12:41:52 +0200 Subject: [PATCH] fix(frontpage): Don't bruteforce protect "undefined" It's a misbehaving bug in the frontend but we are yet unsure how it occurres Signed-off-by: Joas Schilling --- lib/Controller/PageController.php | 13 +++++++++++-- .../conversation-1/bruteforce-protection.feature | 6 ++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/lib/Controller/PageController.php b/lib/Controller/PageController.php index cd4f3c6e63d..d8269d2db3c 100644 --- a/lib/Controller/PageController.php +++ b/lib/Controller/PageController.php @@ -205,8 +205,11 @@ protected function pageHandler(string $token = '', string $callUser = '', string } } catch (RoomNotFoundException $e) { // Room not found, redirect to main page + $throttle = $token !== 'undefined'; + if ($token === 'undefined') { + $this->logger->debug('User "' . ($this->userId ?? 'ANONYMOUS') . '" tried to access "undefined"', ['app' => 'spreed-bfp']); + } $token = ''; - $throttle = true; } if ($room instanceof Room && $room->hasPassword()) { @@ -361,7 +364,13 @@ protected function guestEnterRoom(string $token, string $password): Response { $response = new RedirectResponse($this->url->linkToRoute('core.login.showLoginForm', [ 'redirect_url' => $redirectUrl, ])); - $response->throttle(['token' => $token, 'action' => 'talkRoomToken']); + if ($token !== 'undefined') { + // Logged-in user tried to access a chat they can not access + $this->logger->debug('User "' . ($this->userId ?? 'ANONYMOUS') . '" throttled for accessing "' . $token . '"', ['app' => 'spreed-bfp']); + $response->throttle(['token' => $token, 'action' => 'talkRoomToken']); + } else { + $this->logger->debug('User "' . ($this->userId ?? 'ANONYMOUS') . '" tried to access "undefined"', ['app' => 'spreed-bfp']); + } return $response; } diff --git a/tests/integration/features/conversation-1/bruteforce-protection.feature b/tests/integration/features/conversation-1/bruteforce-protection.feature index 7f15ee33c98..94a48ef1c87 100644 --- a/tests/integration/features/conversation-1/bruteforce-protection.feature +++ b/tests/integration/features/conversation-1/bruteforce-protection.feature @@ -72,6 +72,12 @@ Feature: conversation/bruteforce-protection When user "participant2" views call-URL of room "invalid" with 200 When user "participant2" views call-URL of room "invalid" with 200 When user "participant2" views call-URL of room "invalid" with 200 + When user "participant2" views call-URL of room "undefined" with 200 + When user "participant2" views call-URL of room "undefined" with 200 + When user "participant2" views call-URL of room "undefined" with 200 + When user "participant2" views call-URL of room "undefined" with 200 + When user "participant2" views call-URL of room "undefined" with 200 + When user "participant2" views call-URL of room "undefined" with 200 When user "participant2" views call-URL of room "invalid" with 200 When user "participant2" views call-URL of room "invalid" with 200 When user "participant2" views call-URL of room "invalid" with 200