Add rate-limit of TOTP authentication attempts at controller level (#28801)

2025-12-14 08:19:05 +00:00 · 2024-01-19 13:19:49 +01:00
parent 5fc4ae7c5f
commit 3593ee2e36
4 changed files with 48 additions and 0 deletions
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@@ -1,6 +1,10 @@
 # frozen_string_literal: true

 class Auth::SessionsController < Devise::SessionsController
+  include Redisable
+
+  MAX_2FA_ATTEMPTS_PER_HOUR = 10
+
  layout 'auth'

  skip_before_action :check_self_destruct!
@@ -130,9 +134,23 @@ class Auth::SessionsController < Devise::SessionsController
    session.delete(:attempt_user_updated_at)
  end

+  def clear_2fa_attempt_from_user(user)
+    redis.del(second_factor_attempts_key(user))
+  end
+
+  def check_second_factor_rate_limits(user)
+    attempts, = redis.multi do |multi|
+      multi.incr(second_factor_attempts_key(user))
+      multi.expire(second_factor_attempts_key(user), 1.hour)
+    end
+
+    attempts >= MAX_2FA_ATTEMPTS_PER_HOUR
+  end
+
  def on_authentication_success(user, security_measure)
    @on_authentication_success_called = true

+    clear_2fa_attempt_from_user(user)
    clear_attempt_from_session

    user.update_sign_in!(new_sign_in: true)
@@ -164,4 +182,8 @@ class Auth::SessionsController < Devise::SessionsController
      user_agent: request.user_agent
    )
  end
+
+  def second_factor_attempts_key(user)
+    "2fa_auth_attempts:#{user.id}:#{Time.now.utc.hour}"
+  end
 end