Merge commit from fork

* Backport user enumeration fix.

* Supress warning on use of .NET 6 with TimeProvider dependency.

* Replace TimeProvider with Stopwatch, as the former isn't tested against .NET 6.0 and generates warnings.

* Remove full path details from exception when requesting a path outside of the physical file system's root.

* Added randomness to login duration.

* Ensured against negative duration.

Author: AndyButland

Directory.Build.props

@@ -49,4 +49,5 @@
   <PropertyGroup>
     <GitVersionBaseDirectory>$(MSBuildThisFileDirectory)</GitVersionBaseDirectory>
   </PropertyGroup>
+
 </Project>

src/Umbraco.Core/Configuration/Models/SecuritySettings.cs

@@ -2,6 +2,7 @@
 // See LICENSE for more details.
 
 using System.ComponentModel;
+using System.ComponentModel.DataAnnotations;
 
 namespace Umbraco.Cms.Core.Configuration.Models;
 
@@ -24,6 +25,8 @@ public class SecuritySettings
 
     internal const int StaticMemberDefaultLockoutTimeInMinutes = 30 * 24 * 60;
     internal const int StaticUserDefaultLockoutTimeInMinutes = 30 * 24 * 60;
+    private const long StaticUserDefaultFailedLoginDurationInMilliseconds = 1000;
+    private const long StaticUserMinimumFailedLoginDurationInMilliseconds = 250;
 
     /// <summary>
     ///     Gets or sets a value indicating whether to keep the user logged in.
@@ -109,4 +112,28 @@ public class SecuritySettings
     [Obsolete("Use ContentSettings.AllowEditFromInvariant instead")]
     [DefaultValue(StaticAllowEditInvariantFromNonDefault)]
     public bool AllowEditInvariantFromNonDefault { get; set; } = StaticAllowEditInvariantFromNonDefault;
+
+    /// <summary>
+    /// Gets or sets the default duration (in milliseconds) of failed login attempts.
+    /// </summary>
+    /// <value>
+    /// The default duration (in milliseconds) of failed login attempts.
+    /// </value>
+    /// <remarks>
+    /// The user login endpoint ensures that failed login attempts take at least as long as the average successful login.
+    /// However, if no successful logins have occurred, this value is used as the default duration.
+    /// </remarks>
+    [Range(0, long.MaxValue)]
+    [DefaultValue(StaticUserDefaultFailedLoginDurationInMilliseconds)]
+    public long UserDefaultFailedLoginDurationInMilliseconds { get; set; } = StaticUserDefaultFailedLoginDurationInMilliseconds;
+
+    /// <summary>
+    /// Gets or sets the minimum duration (in milliseconds) of failed login attempts.
+    /// </summary>
+    /// <value>
+    /// The minimum duration (in milliseconds) of failed login attempts.
+    /// </value>
+    [Range(0, long.MaxValue)]
+    [DefaultValue(StaticUserMinimumFailedLoginDurationInMilliseconds)]
+    public long UserMinimumFailedLoginDurationInMilliseconds { get; set; } = StaticUserMinimumFailedLoginDurationInMilliseconds;
 }

src/Umbraco.Core/IO/PhysicalFileSystem.cs

@@ -358,7 +358,7 @@ public string GetFullPath(string path)
 
             // nothing prevents us to reach the file, security-wise, yet it is outside
             // this filesystem's root - throw
-            throw new UnauthorizedAccessException($"File original: [{originalPath}] full: [{path}] is outside this filesystem's root.");
+            throw new UnauthorizedAccessException($"Requested path {originalPath} is outside this filesystem's root.");
         }
 
         /// <summary>

src/Umbraco.Core/TimedScope.cs

@@ -0,0 +1,118 @@
+using System.Diagnostics;
+
+namespace Umbraco.Cms.Core;
+
+/// <summary>
+/// Makes a code block timed (take at least a certain amount of time). This class cannot be inherited.
+/// </summary>
+public sealed class TimedScope : IDisposable, IAsyncDisposable
+{
+    private readonly TimeSpan _duration;
+    private readonly CancellationTokenSource _cancellationTokenSource;
+    private readonly Stopwatch _stopwatch;
+
+    /// <summary>
+    /// Gets the elapsed time.
+    /// </summary>
+    /// <value>
+    /// The elapsed time.
+    /// </value>
+    public TimeSpan Elapsed => _stopwatch.Elapsed;
+
+    /// <summary>
+    /// Gets the remaining time.
+    /// </summary>
+    /// <value>
+    /// The remaining time.
+    /// </value>
+    public TimeSpan Remaining
+        => TryGetRemaining(out TimeSpan remaining) ? remaining : TimeSpan.Zero;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="TimedScope" /> class.
+    /// </summary>
+    /// <param name="millisecondsDuration">The number of milliseconds the scope should at least take.</param>
+    public TimedScope(long millisecondsDuration)
+        : this(TimeSpan.FromMilliseconds(millisecondsDuration))
+    { }
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="TimedScope" /> class.
+    /// </summary>
+    /// <param name="millisecondsDuration">The number of milliseconds the scope should at least take.</param>
+    /// <param name="cancellationToken">The cancellation token.</param>
+    public TimedScope(long millisecondsDuration, CancellationToken cancellationToken)
+        : this(TimeSpan.FromMilliseconds(millisecondsDuration), cancellationToken)
+    { }
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="TimedScope"/> class.
+    /// </summary>
+    /// <param name="duration">The duration the scope should at least take.</param>
+    public TimedScope(TimeSpan duration)
+        : this(duration, new CancellationTokenSource())
+    { }
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="TimedScope" /> class.
+    /// </summary>
+    /// <param name="duration">The duration the scope should at least take.</param>
+    /// <param name="cancellationToken">The cancellation token.</param>
+    public TimedScope(TimeSpan duration, CancellationToken cancellationToken)
+        : this(duration, CancellationTokenSource.CreateLinkedTokenSource(cancellationToken))
+    { }
+
+    private TimedScope(TimeSpan duration, CancellationTokenSource cancellationTokenSource)
+    {
+        _duration = duration;
+        _cancellationTokenSource = cancellationTokenSource;
+        _stopwatch = new Stopwatch();
+        _stopwatch.Start();
+    }
+
+    /// <summary>
+    /// Cancels the timed scope.
+    /// </summary>
+    public void Cancel()
+        => _cancellationTokenSource.Cancel();
+
+    /// <summary>
+    /// Performs application-defined tasks associated with freeing, releasing, or resetting unmanaged resources.
+    /// </summary>
+    /// <remarks>
+    /// This will block using <see cref="Thread.Sleep(TimeSpan)" /> until the remaining time has elapsed, if not cancelled.
+    /// </remarks>
+    public void Dispose()
+    {
+        if (_cancellationTokenSource.IsCancellationRequested is false &&
+            TryGetRemaining(out TimeSpan remaining))
+        {
+            Thread.Sleep(remaining);
+        }
+    }
+
+    /// <summary>
+    /// Performs application-defined tasks associated with freeing, releasing, or resetting unmanaged resources asynchronously.
+    /// </summary>
+    /// <returns>
+    /// A task that represents the asynchronous dispose operation.
+    /// </returns>
+    /// <remarks>
+    /// This will delay using <see cref="Task.Delay(TimeSpan, CancellationToken)" /> until the remaining time has elapsed, if not cancelled.
+    /// </remarks>
+    public async ValueTask DisposeAsync()
+    {
+        if (_cancellationTokenSource.IsCancellationRequested is false &&
+            TryGetRemaining(out TimeSpan remaining))
+        {
+            await Task.Delay(remaining, _cancellationTokenSource.Token).ConfigureAwait(false);
+        }
+    }
+
+    private bool TryGetRemaining(out TimeSpan remaining)
+    {
+        remaining = _duration.Subtract(Elapsed);
+
+        return remaining > TimeSpan.Zero;
+    }
+}

src/Umbraco.Core/Umbraco.Core.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <PackageId>Umbraco.Cms.Core</PackageId>
     <Title>Umbraco CMS - Core</Title>

src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs

@@ -74,6 +74,9 @@ public class AuthenticationController : UmbracoApiControllerBase
     private readonly IUserService _userService;
     private readonly WebRoutingSettings _webRoutingSettings;
 
+    private const int FailedLoginDurationRandomOffsetInMilliseconds = 100;
+    private static long? _loginDurationAverage;
+
     // TODO: We need to review all _userManager.Raise calls since many/most should be on the usermanager or signinmanager, very few should be here
     [ActivatorUtilitiesConstructor]
     public AuthenticationController(
@@ -342,47 +345,83 @@ public async Task<bool> IsAuthenticated()
     [Authorize(Policy = AuthorizationPolicies.DenyLocalLoginIfConfigured)]
     public async Task<ActionResult<UserDetail?>> PostLogin(LoginModel loginModel)
     {
+        // Start a timed scope to ensure failed responses return is a consistent time
+        await using var timedScope = new TimedScope(GetLoginDuration(), CancellationToken.None);
+
         // Sign the user in with username/password, this also gives a chance for developers to
         // custom verify the credentials and auto-link user accounts with a custom IBackOfficePasswordChecker
         SignInResult result = await _signInManager.PasswordSignInAsync(
             loginModel.Username, loginModel.Password, true, true);
 
-        if (result.Succeeded)
+        if (result.Succeeded is false)
         {
-            // return the user detail
-            return GetUserDetail(_userService.GetByUsername(loginModel.Username));
-        }
+            BackOfficeIdentityUser? user = await _userManager.FindByNameAsync(loginModel.Username.Trim());
 
-        if (result.RequiresTwoFactor)
-        {
-            var twofactorView = _backOfficeTwoFactorOptions.GetTwoFactorView(loginModel.Username);
-            if (twofactorView.IsNullOrWhiteSpace())
+            if (user is not null &&
+                await _userManager.CheckPasswordAsync(user, loginModel.Password))
             {
-                return new ValidationErrorResult(
-                    $"The registered {typeof(IBackOfficeTwoFactorOptions)} of type {_backOfficeTwoFactorOptions.GetType()} did not return a view for two factor auth ");
-            }
-
-            IUser? attemptedUser = _userService.GetByUsername(loginModel.Username);
+                // The credentials were correct, so cancel timed scope and provide a more detailed failure response
+                timedScope.Cancel();
 
-            // create a with information to display a custom two factor send code view
-            var verifyResponse =
-                new ObjectResult(new { twoFactorView = twofactorView, userId = attemptedUser?.Id })
+                if (result.RequiresTwoFactor)
                 {
-                    StatusCode = StatusCodes.Status402PaymentRequired
-                };
+                    var twofactorView = _backOfficeTwoFactorOptions.GetTwoFactorView(loginModel.Username);
+                    if (twofactorView.IsNullOrWhiteSpace())
+                    {
+                        return new ValidationErrorResult(
+                            $"The registered {typeof(IBackOfficeTwoFactorOptions)} of type {_backOfficeTwoFactorOptions.GetType()} did not return a view for two factor auth ");
+                    }
+
+                    IUser? attemptedUser = _userService.GetByUsername(loginModel.Username);
+
+                    // create a with information to display a custom two factor send code view
+                    var verifyResponse =
+                        new ObjectResult(new { twoFactorView = twofactorView, userId = attemptedUser?.Id })
+                        {
+                            StatusCode = StatusCodes.Status402PaymentRequired
+                        };
+
+                    return verifyResponse;
+                }
+
+                // TODO: We can check for these and respond differently if we think it's important
+                //  result.IsLockedOut
+                //  result.IsNotAllowed
+            }
 
-            return verifyResponse;
+            // Return BadRequest (400), we don't want to return a 401 because that get's intercepted
+            // by our angular helper because it thinks that we need to re-perform the request once we are
+            // authorized and we don't want to return a 403 because angular will show a warning message indicating
+            // that the user doesn't have access to perform this function, we just want to return a normal invalid message.
+            return BadRequest();
         }
 
-        // TODO: We can check for these and respond differently if we think it's important
-        //  result.IsLockedOut
-        //  result.IsNotAllowed
+        // Set initial or update average (successful) login duration
+        _loginDurationAverage = _loginDurationAverage is long average
+            ? (average + (long)timedScope.Elapsed.TotalMilliseconds) / 2
+            : (long)timedScope.Elapsed.TotalMilliseconds;
+
+        // Cancel the timed scope (we don't want to unnecessarily wait on a successful response)
+        timedScope.Cancel();
+
+        // Return the user detail
+        return GetUserDetail(_userService.GetByUsername(loginModel.Username));
+    }
+
+    private long GetLoginDuration()
+    {
+        var loginDuration = Math.Max(_loginDurationAverage ?? _securitySettings.UserDefaultFailedLoginDurationInMilliseconds, _securitySettings.UserMinimumFailedLoginDurationInMilliseconds);
+        var random = new Random();
+        var randomDelay = random.Next(-FailedLoginDurationRandomOffsetInMilliseconds, FailedLoginDurationRandomOffsetInMilliseconds);
+        loginDuration += randomDelay;
+
+        // Just be sure we don't get a negative number - possible if someone has configured a very low UserMinimumFailedLoginDurationInMilliseconds value.
+        if (loginDuration < 0)
+        {
+            loginDuration = 0;
+        }
 
-        // return BadRequest (400), we don't want to return a 401 because that get's intercepted
-        // by our angular helper because it thinks that we need to re-perform the request once we are
-        // authorized and we don't want to return a 403 because angular will show a warning message indicating
-        // that the user doesn't have access to perform this function, we just want to return a normal invalid message.
-        return BadRequest();
+        return loginDuration;
     }
 
     /// <summary>