From b708446ccd551e686b099112a8c60daeec5fe2ea Mon Sep 17 00:00:00 2001
From: Aaron Parecki <aaron@parecki.com>
Date: Mon, 22 Jul 2019 11:07:00 -0400
Subject: [PATCH] allow only 4 failed attempts at entering the email code

to prevent brute forcing

closes #39
---
 app/Provider/Email.php | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/app/Provider/Email.php b/app/Provider/Email.php
index 2745726..d623732 100644
--- a/app/Provider/Email.php
+++ b/app/Provider/Email.php
@@ -101,6 +101,27 @@ public function verify_email_code(ServerRequestInterface $request, ResponseInter
     if(strtolower($usercode) == strtolower($params['usercode'])) {
       return $this->_finishAuthenticate($response);
     } else {
+      $k = 'indielogin:email:usercode:attempts:'.$params['code'];
+      $current_attempts = (redis()->get($k) ?: 0);
+
+      // Allow only 4 failed attempts, then start over.
+      // This prevents brute forcing the code.      
+      if($current_attempts >= 3) {
+        redis()->del('indielogin:email:usercode:'.$params['code']);
+        redis()->del('indielogin:email:'.$params['code']);
+        redis()->del($k);
+
+        $response->getBody()->write(view('auth/email-error', [
+          'title' => 'Error',
+          'error' => 'The session expired',
+          'client_id' => ($_SESSION['login_request']['client_id'] ?? false)
+        ]));
+        return $response;
+      }
+
+      // Increment the counter of failed attempts
+      redis()->setex($k, EMAIL_TIMEOUT, $current_attempts+1);
+
       $response->getBody()->write(view('auth/email-enter-code', [
         'title' => 'Log In via Email',
         'code' => $params['code'],