/**
* Run the login throttling middleware.
*
* We're verifying that the user is not attempting to brute force Cachet's
* login system. If the user has reached the rate limit, then we're sending
* them away, otherwise, we do nothing, and allow them to continue.
*
* Note that this filter is not responsible for incrementing the hit count.
* Another part of Cachet will increment the hit count for the given route
* only if validation passes, and the user did not successfully login.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
*
* @return mixed
*/
public function handle($request, Closure $next)
{
if (!Throttle::check($request, 10, 10)) {
return Redirect::back()->with('error', 'You have made too many login requests.');
}
return $next($request);
}
/**
* Show the application login form.
*
* @return \Illuminate\Http\Response
*/
public function getLogin()
{
//dd("loaded");
// get the current request object
//Throttle::clear();
$request = Request::getFacadeRoot();
//dd($request);
// throttler object for that request, X, Y
// X = tries, Y = minutes
$throttler = Throttle::get($request, Config::get('kagi.throttle', '3'), Config::get('kagi.time_out', '2'));
//dd($throttler);
/*
// check if we've gone over the limit
var_dump($throttler->check());
// implement Countable
var_dump($throttler->count());
// the attempt function will hit the throttle, then return check
var_dump(Throttle::attempt($request));
*/
// Check throttle, return with error
if (!Throttle::attempt($request, 5)) {
Flash::error(trans('kotoba::auth.error.not_approved'));
}
return Theme::View('modules.kagi.auth.login');
}
public function login(Request $request)
{
$data = $request->only('username', 'password');
$gcm_token = $request->get('gcm_token');
$throttler = Throttle::get($request, 5, 1);
if (!$throttler->check()) {
$response = Response(['error' => 'too many wrong requests']);
$response->setStatusCode('420', "Enhance Your Calm");
return $response;
}
try {
if (!($token = JWTAuth::attempt($data))) {
// Invalid authentication, hit the throttler
$throttler->hit();
return response()->json(['error' => true, 'message' => 'invalid_credentials'], 401);
}
// We have a google token, so let's set it
if (null != $gcm_token) {
$user = JWTAuth::toUser($token);
$user->setGCMToken($gcm_token);
$user->save();
}
} catch (JWTException $e) {
$throttler->hit();
return response()->json(['error' => true, 'message' => 'couldnt_create_token'], 401);
}
return response()->json(compact('token'));
}
/**
* Logs the user in.
*
* @return \Illuminate\Http\RedirectResponse
*/
public function postLogin()
{
if (Auth::attempt(Binput::only(['email', 'password']))) {
return Redirect::intended('dashboard');
}
Throttle::hit(Request::instance(), 10, 10);
return Redirect::back()->withInput(Binput::except('password'))->with('error', 'Invalid email or password');
}
private function isThrottled()
{
if (!($config = $this->config['throttle'])) {
return false;
}
$throttle = explode(':', $config);
return !Throttle::attempt(['ip' => gethostname(), 'route' => $this->config['class'] . $this->worker], $throttle[0], $throttle[1]);
}
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
*
* @throws \Symfony\Component\HttpKernel\Exception\TooManyRequestsHttpException
*
* @return mixed
*/
public function handle($request, Closure $next)
{
$limit = 10;
// request limit
$time = 30;
// ban time
if (!Throttle::attempt($request, $limit, $time)) {
throw new TooManyRequestsHttpException($time * 60, 'Rate limit exceed.');
}
return $next($request);
}
/**
* @param Request $request
* @return mixed
*/
public function postLogin(Request $request)
{
$validator = Validator::make($request->all(), ['email' => 'required|email', 'password' => 'required']);
//檢查登入冷卻,防止惡意登入
$throttle = Throttle::get($request, 5, 10);
//密碼錯誤三次後,追加reCaptcha
$validator->sometimes('g-recaptcha-response', 'required', function ($input) use($throttle) {
return $throttle->count() >= 3;
});
if ($validator->fails()) {
return Redirect::route('user.login')->withErrors($validator)->withInput();
} else {
//檢查登入次數
if (!$throttle->check()) {
return Redirect::route('user.login')->with('warning', '嘗試登入過於頻繁,請等待10分鐘。')->with('delay', 10 * 60)->withInput();
}
//上線環境再檢查
if (App::environment('production') && !empty(env('reCAPTCHA_Site_key'))) {
//密碼錯誤三次後,追加檢查reCaptcha
if ($throttle->count() >= 3) {
$result = ReCaptchaHelper::tryPassGoogleReCAPTCHA($request);
if (!(is_bool($result->success) && $result->success)) {
LogHelper::info('[reCAPTCHA Failed]', $result);
return Redirect::route('user.login')->with('warning', '沒有通過 reCAPTCHA 驗證,請再試一次。')->withInput();
}
}
}
//增加次數
$throttle->hit();
$remember = $request->has('remember') ? true : false;
$auth = Auth::attempt(['email' => $request->get('email'), 'password' => $request->get('password')], $remember);
if ($auth) {
$user = Auth::user();
//更新資料
$user->lastlogin_ip = $request->getClientIp();
$user->lastlogin_at = Carbon::now()->toDateTimeString();
$user->save();
//移除重新設定密碼的驗證碼
DB::table('password_resets')->where('email', '=', $user->email)->delete();
//記錄
LogHelper::info('[LoginSucceeded] 登入成功:' . $request->get('email'), ['email' => $request->get('email'), 'ip' => $request->getClientIp()]);
//重導向至登入前頁面
if (Session::has('previous-url')) {
return Redirect::to(Session::get('previous-url'))->with('global', '已順利登入');
} else {
return Redirect::intended('/')->with('global', '已順利登入');
}
} else {
//紀錄
LogHelper::info('[LoginFailed] 登入失敗:' . $request->get('email'), ['email' => $request->get('email'), 'ip' => $request->getClientIp()]);
return Redirect::route('user.login')->with('warning', '帳號或密碼錯誤');
}
}
}
/**
* Logs the user in.
*
* @return \Illuminate\Http\RedirectResponse
*/
public function postLogin()
{
$loginData = Binput::only(['email', 'password']);
// Validate login credentials.
if (Auth::validate($loginData)) {
// Log the user in for one request.
Auth::once($loginData);
// Do we have Two Factor Auth enabled?
if (Auth::user()->hasTwoFactor) {
// Temporarily store the user.
Session::put('2fa_id', Auth::user()->id);
return Redirect::route('two-factor');
}
// We probably want to add support for "Remember me" here.
Auth::attempt(Binput::only(['email', 'password']));
return Redirect::intended('dashboard');
}
Throttle::hit(Request::instance(), 10, 10);
return Redirect::back()->withInput(Binput::except('password'))->with('error', trans('forms.login.invalid'));
}
<?php
/*
* This file is part of Bootstrap CMS.
*
* (c) Graham Campbell <*****@*****.**>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
use GrahamCampbell\Throttle\Facades\Throttle;
use Symfony\Component\HttpKernel\Exception\TooManyRequestsHttpException;
/*
|--------------------------------------------------------------------------
| Throttling Filters
|--------------------------------------------------------------------------
|
| This is where we check the user is not spamming our system by limiting
| certain types of actions with a throttler.
|
*/
$router->filter('throttle.comment', function ($route, $request) {
// check if we've reached the rate limit, but don't hit the throttle yet
// we can hit the throttle later on in the if validation passes
if (!Throttle::check($request, 10, 1)) {
throw new TooManyRequestsHttpException(60, 'Rate limit exceed.');
}
});
/**
* Run the login throttling filter.
*
* We're verifying that the user is not attempting to brute force Cachet's
* login system. If the user has reached the rate limit, then we're sending
* them away, otherwise, we do nothing, and allow them to continue.
*
* Note that this filter is not responsible for incrementing the hit count.
* Another part of Cachet will increment the hit count for the given route
* only if validation passes, and the user did not successfully login.
*
* @param \Illuminate\Routing\Route $route
* @param \Illuminate\Http\Request $request
*
* @return \Illuminate\Http\Response|null
*/
public function filter(Route $route, Request $request)
{
if (!Throttle::check($request, 10, 10)) {
return Redirect::back()->with('error', 'You have made too many login requests.');
}
}
/**
* Check if the called function is throttled.
*
* @param [type] $conn [description]
* @param [type] $setting [description]
*
* @return bool [description]
*/
private function isThrottled($conn, $setting)
{
$connectionThrottle = explode(':', config(sprintf('ratchet.throttle.%s', $setting)));
return !Throttle::attempt(['ip' => $conn->remoteAddress, 'route' => $setting], $connectionThrottle[0], $connectionThrottle[1]);
}
$router->filter('throttle.activate', function ($route, $request) {
// check if we've reached the rate limit, and hit the throttle
// no validation is required, we should always hit the throttle
if (!Throttle::attempt($request, 10, 10)) {
return Redirect::route('account.login')->withInput()->with('error', 'You have made too many activation requests. Please try again in 10 minutes.');
}
});
$router->filter('throttle.resend', function ($route, $request) {
// check if we've reached the rate limit, but don't hit the throttle yet
// we can hit the throttle later on in the if validation passes
if (!Throttle::check($request, 5, 30)) {
return Redirect::route('account.resend')->withInput()->with('error', 'You have been suspended from resending activation emails. Please contact support.');
}
});
$router->filter('throttle.reset', function ($route, $request) {
// check if we've reached the rate limit, but don't hit the throttle yet
// we can hit the throttle later on in the if validation passes
if (!Throttle::check($request, 5, 30)) {
return Redirect::route('account.reset')->withInput()->with('error', 'You have been suspended from resetting passwords. Please contact support.');
}
});
$router->filter('throttle.register', function ($route, $request) {
// check if we've reached the rate limit, but don't hit the throttle yet
// we can hit the throttle later on in the if validation passes
if (!Throttle::check($request, 5, 30)) {
return Redirect::route('account.register')->withInput()->with('error', 'You have been suspended from registration. Please contact support.');
}
});
$router->filter('localization', function () {
App::setLocale(Route::input('lang'));
});