From 4b692ba7539d9e23021f6d1f19505f38327fcc1e Mon Sep 17 00:00:00 2001
From: Toby Crawley <toby@tcrawley.org>
Date: Sun, 15 Nov 2015 15:23:48 -0500
Subject: [PATCH] Properly throttle failed logins [fixes #401]

This builds on
https://github.com/ato/clojars-web/commit/43b1bd7087926d2875ebf47e5dbb4c2fbb9ce4d3,
but fixes it to catch bad password attempts as well.
---
 src/clojars/web.clj | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/src/clojars/web.clj b/src/clojars/web.clj
index 43eb459d..f9781e2c 100644
--- a/src/clojars/web.clj
+++ b/src/clojars/web.clj
@@ -23,6 +23,7 @@
              [safe-hiccup :refer [raw]]
              [search :refer [search]]]
             [clojure.java.io :as io]
+            [clojure.set :refer [rename-keys]]
             [compojure
              [core :refer [ANY context GET PUT routes]]
              [route :refer [not-found]]]
@@ -82,14 +83,17 @@
 
 (defn credential-fn [db]
   (let [attempts (atom {})]
-    (partial creds/bcrypt-credential-fn
-             (fn [id]
-               (if-let [{:keys [user password]}
-                        (db/find-user-by-user-or-email db id)]
-                 (when-not (empty? password)
-                   (swap! attempts dissoc user)
-                   {:username user :password password})
-                 (do (swap! attempts bad-attempt id) nil))))))
+    (fn [{:keys [username] :as auth-map}]
+      (if-let [auth-result (creds/bcrypt-credential-fn
+                             #(rename-keys (db/find-user-by-user-or-email db %)
+                               {:user :username})
+                             auth-map)]
+        (do
+          (swap! attempts dissoc username)
+          auth-result)
+        (do
+          (swap! attempts bad-attempt username)
+          nil)))))
 
 (defn wrap-x-frame-options [f]
   (fn [req] (update-in (f req) [:headers] assoc "X-Frame-Options" "DENY")))