/** * Checks the throttling status of the given user. * * @param string $action * @param \Cartalyst\Sentinel\Users\UserInterface|null $user * @return bool */ protected function checkThrottling($action, UserInterface $user = null) { // If we are just checking an existing logged in person, the global delay // shouldn't stop them being logged in at all. Only their IP address and // user a if ($action === 'login') { $globalDelay = $this->throttle->globalDelay(); if ($globalDelay > 0) { $this->throwException("Too many unsuccessful attempts have been made globally, logins are locked for another [{$globalDelay}] second(s).", 'global', $globalDelay); } } // Suspicious activity from a single IP address will not only lock // logins but also any logged in users from that IP address. This // should deter a single hacker who may have guessed a password // within the configured throttling limit. if (isset($this->ipAddress)) { $ipDelay = $this->throttle->ipDelay($this->ipAddress); if ($ipDelay > 0) { $this->throwException("Suspicious activity has occured on your IP address and you have been denied access for another [{$ipDelay}] second(s).", 'ip', $ipDelay); } } // We will only suspend people logging into a user account. This will // leave the logged in user unaffected. Picture a famous person who's // account is being locked as they're logged in, purely because // others are trying to hack it. if ($action === 'login' && isset($user)) { $userDelay = $this->throttle->userDelay($user); if ($userDelay > 0) { $this->throwException("Too many unsuccessful login attempts have been made against your account. Please try again after another [{$userDelay}] second(s).", 'user', $userDelay); } } return true; }