Merge commit from fork

* Add TimedScope

* Use TimedScope in login endpoint

* Use seperate default duration and only calculate average of actual successful responses

* Only return detailed error responses if credentials are valid

* Cancel timed scope when credentials are valid

* Add UserDefaultFailedLoginDuration and UserMinimumFailedLoginDuration settings

Author: ronaldbarendse

src/Umbraco.Core/Configuration/Models/SecuritySettings.cs

@@ -2,6 +2,7 @@
 // See LICENSE for more details.
 
 using System.ComponentModel;
+using System.ComponentModel.DataAnnotations;
 
 namespace Umbraco.Cms.Core.Configuration.Models;
 
@@ -25,6 +26,8 @@ public class SecuritySettings
 
     internal const int StaticMemberDefaultLockoutTimeInMinutes = 30 * 24 * 60;
     internal const int StaticUserDefaultLockoutTimeInMinutes = 30 * 24 * 60;
+    private const long StaticUserDefaultFailedLoginDurationInMilliseconds = 1000;
+    private const long StaticUserMinimumFailedLoginDurationInMilliseconds = 250;
     internal const string StaticAuthorizeCallbackPathName = "/umbraco/oauth_complete";
     internal const string StaticAuthorizeCallbackLogoutPathName = "/umbraco/logout";
     internal const string StaticAuthorizeCallbackErrorPathName = "/umbraco/error";
@@ -108,6 +111,30 @@ public class SecuritySettings
     [DefaultValue(StaticAllowConcurrentLogins)]
     public bool AllowConcurrentLogins { get; set; } = StaticAllowConcurrentLogins;
 
+    /// <summary>
+    /// Gets or sets the default duration (in milliseconds) of failed login attempts.
+    /// </summary>
+    /// <value>
+    /// The default duration (in milliseconds) of failed login attempts.
+    /// </value>
+    /// <remarks>
+    /// The user login endpoint ensures that failed login attempts take at least as long as the average successful login.
+    /// However, if no successful logins have occurred, this value is used as the default duration.
+    /// </remarks>
+    [Range(0, long.MaxValue)]
+    [DefaultValue(StaticUserDefaultFailedLoginDurationInMilliseconds)]
+    public long UserDefaultFailedLoginDurationInMilliseconds { get; set; } = StaticUserDefaultFailedLoginDurationInMilliseconds;
+
+    /// <summary>
+    /// Gets or sets the minimum duration (in milliseconds) of failed login attempts.
+    /// </summary>
+    /// <value>
+    /// The minimum duration (in milliseconds) of failed login attempts.
+    /// </value>
+    [Range(0, long.MaxValue)]
+    [DefaultValue(StaticUserMinimumFailedLoginDurationInMilliseconds)]
+    public long UserMinimumFailedLoginDurationInMilliseconds { get; set; } = StaticUserMinimumFailedLoginDurationInMilliseconds;
+
     /// <summary>
     ///     Gets or sets a value of the back-office host URI. Use this when running the back-office client and the Management API on different hosts. Leave empty when running both on the same host.
     /// </summary>

src/Umbraco.Core/TimedScope.cs

@@ -0,0 +1,162 @@
+namespace Umbraco.Cms.Core;
+
+/// <summary>
+/// Makes a code block timed (take at least a certain amount of time). This class cannot be inherited.
+/// </summary>
+public sealed class TimedScope : IDisposable, IAsyncDisposable
+{
+    private readonly TimeSpan _duration;
+    private readonly TimeProvider _timeProvider;
+    private readonly CancellationTokenSource _cancellationTokenSource;
+    private readonly long _startingTimestamp;
+
+    /// <summary>
+    /// Gets the elapsed time.
+    /// </summary>
+    /// <value>
+    /// The elapsed time.
+    /// </value>
+    public TimeSpan Elapsed
+        => _timeProvider.GetElapsedTime(_startingTimestamp);
+
+    /// <summary>
+    /// Gets the remaining time.
+    /// </summary>
+    /// <value>
+    /// The remaining time.
+    /// </value>
+    public TimeSpan Remaining
+        => TryGetRemaining(out TimeSpan remaining) ? remaining : TimeSpan.Zero;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="TimedScope" /> class.
+    /// </summary>
+    /// <param name="millisecondsDuration">The number of milliseconds the scope should at least take.</param>
+    public TimedScope(long millisecondsDuration)
+        : this(TimeSpan.FromMilliseconds(millisecondsDuration))
+    { }
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="TimedScope" /> class.
+    /// </summary>
+    /// <param name="millisecondsDuration">The number of milliseconds the scope should at least take.</param>
+    /// <param name="cancellationToken">The cancellation token.</param>
+    public TimedScope(long millisecondsDuration, CancellationToken cancellationToken)
+        : this(TimeSpan.FromMilliseconds(millisecondsDuration), cancellationToken)
+    { }
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="TimedScope" /> class.
+    /// </summary>
+    /// <param name="millisecondsDuration">The number of milliseconds the scope should at least take.</param>
+    /// <param name="timeProvider">The time provider.</param>
+    public TimedScope(long millisecondsDuration, TimeProvider timeProvider)
+        : this(TimeSpan.FromMilliseconds(millisecondsDuration), timeProvider)
+    { }
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="TimedScope" /> class.
+    /// </summary>
+    /// <param name="millisecondsDuration">The number of milliseconds the scope should at least take.</param>
+    /// <param name="timeProvider">The time provider.</param>
+    /// <param name="cancellationToken">The cancellation token.</param>
+    public TimedScope(long millisecondsDuration, TimeProvider timeProvider, CancellationToken cancellationToken)
+        : this(TimeSpan.FromMilliseconds(millisecondsDuration), timeProvider, cancellationToken)
+    { }
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="TimedScope"/> class.
+    /// </summary>
+    /// <param name="duration">The duration the scope should at least take.</param>
+    public TimedScope(TimeSpan duration)
+        : this(duration, TimeProvider.System)
+    { }
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="TimedScope" /> class.
+    /// </summary>
+    /// <param name="duration">The duration the scope should at least take.</param>
+    /// <param name="timeProvider">The time provider.</param>
+    public TimedScope(TimeSpan duration, TimeProvider timeProvider)
+        : this(duration, timeProvider, new CancellationTokenSource())
+    { }
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="TimedScope" /> class.
+    /// </summary>
+    /// <param name="duration">The duration the scope should at least take.</param>
+    /// <param name="cancellationToken">The cancellation token.</param>
+    public TimedScope(TimeSpan duration, CancellationToken cancellationToken)
+        : this(duration, TimeProvider.System, cancellationToken)
+    { }
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="TimedScope" /> class.
+    /// </summary>
+    /// <param name="duration">The duration the scope should at least take.</param>
+    /// <param name="timeProvider">The time provider.</param>
+    /// <param name="cancellationToken">The cancellation token.</param>
+    public TimedScope(TimeSpan duration, TimeProvider timeProvider, CancellationToken cancellationToken)
+        : this(duration, timeProvider, CancellationTokenSource.CreateLinkedTokenSource(cancellationToken))
+    { }
+
+    private TimedScope(TimeSpan duration, TimeProvider timeProvider, CancellationTokenSource cancellationTokenSource)
+    {
+        _duration = duration;
+        _timeProvider = timeProvider;
+        _cancellationTokenSource = cancellationTokenSource;
+        _startingTimestamp = timeProvider.GetTimestamp();
+    }
+
+    /// <summary>
+    /// Cancels the timed scope.
+    /// </summary>
+    public void Cancel()
+        => _cancellationTokenSource.Cancel();
+
+    /// <summary>
+    /// Cancels the timed scope asynchronously.
+    /// </summary>
+    public async Task CancelAsync()
+        => await _cancellationTokenSource.CancelAsync().ConfigureAwait(false);
+
+    /// <summary>
+    /// Performs application-defined tasks associated with freeing, releasing, or resetting unmanaged resources.
+    /// </summary>
+    /// <remarks>
+    /// This will block using <see cref="Thread.Sleep(TimeSpan)" /> until the remaining time has elapsed, if not cancelled.
+    /// </remarks>
+    public void Dispose()
+    {
+        if (_cancellationTokenSource.IsCancellationRequested is false &&
+            TryGetRemaining(out TimeSpan remaining))
+        {
+            Thread.Sleep(remaining);
+        }
+    }
+
+    /// <summary>
+    /// Performs application-defined tasks associated with freeing, releasing, or resetting unmanaged resources asynchronously.
+    /// </summary>
+    /// <returns>
+    /// A task that represents the asynchronous dispose operation.
+    /// </returns>
+    /// <remarks>
+    /// This will delay using <see cref="Task.Delay(TimeSpan, TimeProvider, CancellationToken)" /> until the remaining time has elapsed, if not cancelled.
+    /// </remarks>
+    public async ValueTask DisposeAsync()
+    {
+        if (_cancellationTokenSource.IsCancellationRequested is false &&
+            TryGetRemaining(out TimeSpan remaining))
+        {
+            await Task.Delay(remaining, _timeProvider, _cancellationTokenSource.Token).ConfigureAwait(false);
+        }
+    }
+
+    private bool TryGetRemaining(out TimeSpan remaining)
+    {
+        remaining = _duration.Subtract(Elapsed);
+
+        return remaining > TimeSpan.Zero;
+    }
+}