[FEATURE] Introduce rate limiter for failed logins
The PHP library `symfony/rate-limiter` has been integrated in order to provide a rate limiting API for the TYPO3 core and extensions. As a new system default, the TYPO3 backend and frontend login now uses a rate limiter, which prevents further authentication attempts for an IP address, if a configurable amount of login attempts is exceeded in a given time. The hardcoded wait time of 5 seconds after a failed login has been removed, since it offers no real protection against brute force attacks. The following dependencies are introduced: * symfony/rate-limiter "^5.3" Resolves: #93825 Releases: master Change-Id: Ib248b78b501a4d50556aa97938f4c51f12f7522a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68624 Tested-by:core-ci <typo3@b13.com> Tested-by:
Jochen <rothjochen@gmail.com> Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
Showing
- composer.json 1 addition, 0 deletionscomposer.json
- composer.lock 221 additions, 71 deletionscomposer.lock
- typo3/sysext/backend/Classes/Middleware/BackendUserAuthenticator.php 41 additions, 2 deletions...t/backend/Classes/Middleware/BackendUserAuthenticator.php
- typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php 7 additions, 9 deletions...ore/Classes/Authentication/AbstractUserAuthentication.php
- typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php 3 additions, 1 deletiontypo3/sysext/core/Classes/Error/AbstractExceptionHandler.php
- typo3/sysext/core/Classes/RateLimiter/RateLimiterFactory.php 65 additions, 0 deletionstypo3/sysext/core/Classes/RateLimiter/RateLimiterFactory.php
- typo3/sysext/core/Classes/RateLimiter/RequestRateLimitedException.php 27 additions, 0 deletions.../core/Classes/RateLimiter/RequestRateLimitedException.php
- typo3/sysext/core/Classes/RateLimiter/Storage/CachingFrameworkStorage.php 70 additions, 0 deletions...e/Classes/RateLimiter/Storage/CachingFrameworkStorage.php
- typo3/sysext/core/Configuration/DefaultConfiguration.php 11 additions, 0 deletionstypo3/sysext/core/Configuration/DefaultConfiguration.php
- typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml 28 additions, 0 deletions...t/core/Configuration/DefaultConfigurationDescription.yaml
- typo3/sysext/core/Configuration/Services.yaml 7 additions, 0 deletionstypo3/sysext/core/Configuration/Services.yaml
- typo3/sysext/core/Documentation/Changelog/master/Feature-93825-RateLimitingForFailedLogins.rst 100 additions, 0 deletions...elog/master/Feature-93825-RateLimitingForFailedLogins.rst
- typo3/sysext/core/Tests/Functional/RateLimiter/RateLimiterFactoryTest.php 100 additions, 0 deletions...e/Tests/Functional/RateLimiter/RateLimiterFactoryTest.php
- typo3/sysext/core/composer.json 1 addition, 0 deletionstypo3/sysext/core/composer.json
- typo3/sysext/frontend/Classes/Middleware/FrontendUserAuthenticator.php 41 additions, 2 deletions...frontend/Classes/Middleware/FrontendUserAuthenticator.php
Please register or sign in to comment