Enable login throttling

Author: ivanvermeyen

README.md

@@ -77,6 +77,34 @@ You can change the URL by setting this option:
 
 It runs under the `web` middleware since it uses the session to keep you logged in. You can change the middleware if needed in the [configuration file](#publish-configuration-file).
 
+## Throttle Login Attempts
+
+To prevent malicious users from brute forcing passwords, login attempts will be throttled unless you disable it. You can change the number of failed attempts per minute to allow, and the delay (in minutes) that users have to wait after reaching the maximum failed attempts.
+
+| Option                      | Type      | Default          |
+| --------------------------- | --------- | ---------------- |
+| `STAGEFRONT_THROTTLE`       | `bool`    | `true`           |
+| `STAGEFRONT_THROTTLE_TRIES` | `integer` | `3` (per minute) |
+| `STAGEFRONT_THROTTLE_DELAY` | `integer` | `5` (minutes)    |
+
+When you tried to login too many times, Laravel's 429 error page will be shown. You can easily modify this by creating a `429.blade.php` view in `resources/views/errors`. To save you a little time, I have included a localized template you can include in that page:
+
+```blade
+@include('stagefront::429')
+```
+
+If you want to include a different partial for other throttled pages, you can check the request:
+
+```blade
+@if (request()->is(config('stagefront.url')))
+    @include('stagefront::429')
+@else
+    @include('your.partial.view')
+@endif
+```
+
+Text in this view can be changed via the [translation files](#translations-and-views).
+
 ## Ignore URLs
 
 If for any reason you wish to disable StageFront on specific routes, you can add these to the `ignore_urls` array in the [configuration file](#publish-configuration-file). You can use wildcards if needed. You can't set this in the `.env` file.
@@ -112,7 +140,7 @@ php artisan vendor:publish
 
 Each option is documented.
 
-## Translations & Login View
+## Translations and Views
 
 You can publish the translations to quickly adjust the text on the login screen and the errors. If you want to customize the login page entirely, you can also publish the view.
 

config/stagefront.php

@@ -78,6 +78,30 @@
      */
     'url' => env('STAGEFRONT_URL', 'stagefront'),
 
+    /**
+     * To prevent malicious users from brute forcing passwords
+     * login attempts will be throttled unless you disable it.
+     *
+     * Default: true
+     */
+    'throttle' => env('STAGEFRONT_THROTTLE', true),
+
+    /**
+     * Number of failed login attempts per minute before
+     * users are locked out for a period of time.
+     *
+     * Default: 3
+     */
+    'throttle_tries' => env('STAGEFRONT_THROTTLE_TRIES', 3),
+
+    /**
+     * Number of minutes to lock out users after reaching
+     * the maximum number of login attempts.
+     *
+     * Default: 5
+     */
+    'throttle_delay' => env('STAGEFRONT_THROTTLE_DELAY', 5),
+
     /**
      * The route middleware to use.
      * Since StageFront uses the session, we definitely require

resources/lang/en/errors.php

@@ -1,11 +1,21 @@
 <?php
 
 return [
+
     'login' => [
         'required' => 'Enter a login.',
     ],
+
     'password' => [
         'required' => 'Enter a password.',
         'match' => 'Invalid credentials.',
     ],
+
+    'throttled' => [
+        'intro' => 'Maximum number of failed login attempts exceeded.',
+        'remaining' => 'Try again in :remaining.',
+        'moment' => 'a moment',
+        'back' => 'Back',
+    ],
+
 ];

resources/lang/nl/errors.php

@@ -1,11 +1,21 @@
 <?php
 
 return [
+
     'login' => [
         'required' => 'Vul een login in.',
     ],
+
     'password' => [
         'required' => 'Vul een wachtwoord in.',
         'match' => 'Ongeldige gebruikersnaam of wachtwoord.',
     ],
+
+    'throttled' => [
+        'intro' => 'Maximum aantal mislukte login pogingen overschreden.',
+        'remaining' => 'Probeer opnieuw over :remaining.',
+        'moment' => 'enkele ogenblikken',
+        'back' => 'Terug',
+    ],
+
 ];

resources/views/429.blade.php

@@ -0,0 +1,78 @@
+<!doctype html>
+<html lang="{{ app()->getLocale() }}">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
+    <meta http-equiv="X-UA-Compatible" content="ie=edge">
+    <title>{{ config('app.name') }}</title>
+    <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Lato:300,700">
+    <style>
+        html, body {
+            height: 100%;
+            margin: 0;
+        }
+        body {
+            display: flex;
+            flex-direction: row;
+            align-items: center;
+            justify-content: center;
+            font-family: 'Lato', sans-serif;
+            text-align: center;
+            font-size: 20px;
+        }
+        section {
+            padding: 1em;
+        }
+        small {
+            font-size: .8em;
+        }
+        a, a:visited, a:active {
+            text-decoration: none;
+        }
+        a.button {
+            display: inline-block;
+            width: 100%;
+            max-width: 150px;
+            line-height: 1.5em;
+            padding: .5em;
+            font-size: 1rem;
+            box-shadow: none;
+            background: #212121;
+            color: #ffffff;
+            border: 1px solid #212121;
+            cursor: pointer;
+            margin-top: 1em;
+        }
+        a.button:focus {
+            outline: none;
+            box-shadow: none;
+            border: 1px solid #212121;
+        }
+        .caps {
+            text-transform: uppercase;
+        }
+        .center {
+            text-align: center;
+        }
+    </style>
+</head>
+<body>
+
+<section>
+
+    <h1 class="caps">{{ config('app.name') }}</h1>
+
+    <p>{{ trans('stagefront::errors.throttled.intro') }}</p>
+
+    <p><small>{{ trans('stagefront::errors.throttled.remaining', ['remaining' => $timeRemaining]) }}</small></p>
+
+    <p class="center">
+        <a href="{{ config('stagefront.url') }}" class="button caps">
+            &langle; {{ trans('stagefront::errors.throttled.back') }}
+        </a>
+    </p>
+
+</section>
+
+</body>
+</html>

routes/routes.php

@@ -7,9 +7,13 @@
     Route::group(['middleware' => config('stagefront.middleware')], function () {
 
         $url = config('stagefront.url');
+        $throttle = config('stagefront.throttle');
+        $tries = config('stagefront.throttle_tries');
+        $delay = config('stagefront.throttle_delay');
+        $middleware = $throttle ? "throttle:{$tries},{$delay}" : [];
 
         Route::get($url, StageFrontController::class.'@create');
-        Route::post($url, StageFrontController::class.'@store');
+        Route::post($url, StageFrontController::class.'@store')->middleware($middleware);
 
     });
 

src/Composers/ThrottleTimeRemaining.php

@@ -0,0 +1,76 @@
+<?php
+
+namespace CodeZero\StageFront\Composers;
+
+use Carbon\Carbon;
+use Illuminate\Cache\RateLimiter;
+use Illuminate\Contracts\View\View;
+
+class ThrottleTimeRemaining
+{
+    /**
+     * Provide the view with the time remaining on the throttle.
+     *
+     * @param \Illuminate\Contracts\View\View $view
+     *
+     * @return void
+     */
+    public function compose(View $view)
+    {
+        $view->with('timeRemaining', $this->getTimeRemaining());
+    }
+
+    /**
+     * Get the time remaining on the throttle in a human readable format.
+     *
+     * @return string
+     */
+    protected function getTimeRemaining()
+    {
+        if ( ! $key = $this->getCacheKey()) {
+            return trans('stagefront::errors.throttled.moment');
+        }
+
+        $secondsRemaining = $this->getSecondRemaining($key);
+
+        Carbon::setLocale(app()->getLocale());
+
+        return Carbon::now()
+            ->addSeconds($secondsRemaining)
+            ->diffForHumans(null, true);
+    }
+
+    /**
+     * Resolve the cache key for the throttle info.
+     * See `resolveRequestSignature` method:
+     * https://github.com/illuminate/routing/blob/master/Middleware/ThrottleRequests.php#L88
+     *
+     * @return string|null
+     */
+    protected function getCacheKey()
+    {
+        $request = request();
+
+        if ($user = $request->user()) {
+            return sha1($user->getAuthIdentifier());
+        }
+
+        if ($route = $request->route()) {
+            return sha1($route->getDomain().'|'.$request->ip());
+        }
+
+        return null;
+    }
+
+    /**
+     * Get the remaining seconds on the throttle.
+     *
+     * @param string $key
+     *
+     * @return mixed
+     */
+    protected function getSecondRemaining($key)
+    {
+        return app(RateLimiter::class)->availableIn($key);
+    }
+}

src/StageFrontServiceProvider.php

@@ -2,6 +2,7 @@
 
 namespace CodeZero\StageFront;
 
+use CodeZero\StageFront\Composers\ThrottleTimeRemaining;
 use Illuminate\Support\ServiceProvider;
 
 class StageFrontServiceProvider extends ServiceProvider
@@ -22,6 +23,7 @@ public function boot()
     {
         $this->loadRoutes();
         $this->loadViews();
+        $this->loadViewComposers();
         $this->loadTranslations();
         $this->registerPublishableFiles();
     }
@@ -56,6 +58,16 @@ protected function loadViews()
         $this->loadViewsFrom(__DIR__.'/../resources/views', $this->name);
     }
 
+    /**
+     * Load the package view composers.
+     *
+     * @return void
+     */
+    protected function loadViewComposers()
+    {
+        view()->composer('stagefront::429', ThrottleTimeRemaining::class);
+    }
+
     /**
      * Load package translations.
      *

tests/StageFrontTest.php

@@ -242,6 +242,44 @@ public function urls_can_be_ignored_so_access_is_not_denied_by_stagefront()
         $this->get('/public/route')->assertStatus(200)->assertSee('Route');
     }
 
+    /** @test */
+    public function it_throttles_login_attempts()
+    {
+        $faultyCredentials = [
+            'login' => 'tester',
+            'password' => 'invalid',
+        ];
+
+        config()->set('stagefront.throttle', true);
+        config()->set('stagefront.throttle_tries', 2);
+        config()->set('stagefront.throttle_delay', 2);
+
+        $this->enableStageFront();
+
+        $this->submitForm($faultyCredentials)->assertRedirect($this->url);
+        $this->submitForm($faultyCredentials)->assertRedirect($this->url);
+        $this->submitForm($faultyCredentials)->assertStatus(429);
+    }
+
+    /** @test */
+    public function throttling_login_attempts_can_be_disabled()
+    {
+        $faultyCredentials = [
+            'login' => 'tester',
+            'password' => 'invalid',
+        ];
+
+        config()->set('stagefront.throttle', false);
+        config()->set('stagefront.throttle_tries', 2);
+        config()->set('stagefront.throttle_delay', 2);
+
+        $this->enableStageFront();
+
+        $this->submitForm($faultyCredentials)->assertRedirect($this->url);
+        $this->submitForm($faultyCredentials)->assertRedirect($this->url);
+        $this->submitForm($faultyCredentials)->assertRedirect($this->url);
+    }
+
     /**
      * Tell Laravel we navigated to this intended URL and
      * got redirected to the login page so that