SECURITY: do cookie auth rate limiting earlier

2025-05-22 03:21:12 +08:00 · 2016-08-09 10:02:18 +10:00
parent 277e7383f3
commit 5cc8bb535b
2 changed files with 16 additions and 2 deletions
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@ -38,14 +38,18 @@ class Auth::DefaultCurrentUserProvider
    current_user = nil

    if auth_token && auth_token.length == 32
-      current_user = User.where(auth_token: auth_token)
+      limiter = RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN ,60)
+
+      if limiter.can_perform?
+        current_user = User.where(auth_token: auth_token)
                         .where('auth_token_updated_at IS NULL OR auth_token_updated_at > ?',
                                  SiteSetting.maximum_session_age.hours.ago)
                         .first
+      end

      unless current_user
        begin
-          RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN ,60).performed!
+          limiter.performed!
        rescue RateLimiter::LimitExceeded
          raise Discourse::InvalidAccess
        end