Added request rate limiters and improved login throttling

wouterj · wouterj · commit d1c8516ede87 · 2020-09-30T21:18:40.000+02:00
This allows limiting on different elements of a request. This is usefull to
e.g. prevent breadth-first attacks, by allowing to enforce a limit on both IP
and IP+username.
diff --git a/Exception/TooManyLoginAttemptsAuthenticationException.php b/Exception/TooManyLoginAttemptsAuthenticationException.php
@@ -19,11 +19,46 @@
  */
 class TooManyLoginAttemptsAuthenticationException extends AuthenticationException
 {
+    private $threshold;
+
+    public function __construct(int $threshold = null)
+    {
+        $this->threshold = $threshold;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getMessageData(): array
+    {
+        return [
+            '%minutes%' => $this->threshold,
+        ];
+    }
+
     /**
      * {@inheritdoc}
      */
     public function getMessageKey(): string
     {
-        return 'Too many failed login attempts, please try again later.';
+        return 'Too many failed login attempts, please try again '.($this->threshold ? 'in %minutes% minute'.($this->threshold > 1 ? 's' : '').'.' : 'later.');
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function __serialize(): array
+    {
+        return [$this->threshold, parent::__serialize()];
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function __unserialize(array $data): void
+    {
+        [$this->threshold, $parentData] = $data;
+        $parentData = \is_array($parentData) ? $parentData : unserialize($parentData);
+        parent::__unserialize($parentData);
     }
 }
