Added request rate limiters and improved login throttling

This allows limiting on different elements of a request. This is usefull to
e.g. prevent breadth-first attacks, by allowing to enforce a limit on both IP
and IP+username.

Author: wouterj

EventListener/LoginThrottlingListener.php

@@ -12,13 +12,12 @@
 namespace Symfony\Component\Security\Http\EventListener;
 
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
-use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RateLimiter\RequestRateLimiterInterface;
 use Symfony\Component\HttpFoundation\RequestStack;
-use Symfony\Component\RateLimiter\Limiter;
 use Symfony\Component\Security\Core\Exception\TooManyLoginAttemptsAuthenticationException;
+use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Component\Security\Http\Event\CheckPassportEvent;
-use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
 
 /**
  * @author Wouter de Jong <[email protected]>
@@ -30,7 +29,7 @@ final class LoginThrottlingListener implements EventSubscriberInterface
     private $requestStack;
     private $limiter;
 
-    public function __construct(RequestStack $requestStack, Limiter $limiter)
+    public function __construct(RequestStack $requestStack, RequestRateLimiterInterface $limiter)
     {
         $this->requestStack = $requestStack;
         $this->limiter = $limiter;
@@ -44,33 +43,18 @@ public function checkPassport(CheckPassportEvent $event): void
         }
 
         $request = $this->requestStack->getMasterRequest();
-        $username = $passport->getBadge(UserBadge::class)->getUserIdentifier();
-        $limiterKey = $this->createLimiterKey($username, $request);
+        $request->attributes->set(Security::LAST_USERNAME, $passport->getBadge(UserBadge::class)->getUserIdentifier());
 
-        $limiter = $this->limiter->create($limiterKey);
-        if (!$limiter->consume()->isAccepted()) {
-            throw new TooManyLoginAttemptsAuthenticationException();
+        $limit = $this->limiter->consume($request);
+        if (!$limit->isAccepted()) {
+            throw new TooManyLoginAttemptsAuthenticationException(ceil(($limit->getRetryAfter()->getTimestamp() - time()) / 60));
         }
     }
 
-    public function onSuccessfulLogin(LoginSuccessEvent $event): void
-    {
-        $limiterKey = $this->createLimiterKey($event->getAuthenticatedToken()->getUsername(), $event->getRequest());
-        $limiter = $this->limiter->create($limiterKey);
-
-        $limiter->reset();
-    }
-
     public static function getSubscribedEvents(): array
     {
         return [
-            CheckPassportEvent::class => ['checkPassport', 64],
-            LoginSuccessEvent::class => 'onSuccessfulLogin',
+            CheckPassportEvent::class => ['checkPassport', 2080],
         ];
     }
-
-    private function createLimiterKey($username, Request $request): string
-    {
-        return $username.$request->getClientIp();
-    }
 }

RateLimiter/DefaultLoginRateLimiter.php

@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\RateLimiter;
+
+use Symfony\Component\HttpFoundation\RateLimiter\AbstractRequestRateLimiter;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\RateLimiter\Limiter;
+use Symfony\Component\Security\Core\Security;
+
+/**
+ * A default login throttling limiter.
+ *
+ * This limiter prevents breadth-first attacks by enforcing
+ * a limit on username+IP and a (higher) limit on IP.
+ *
+ * @author Wouter de Jong <[email protected]>
+ *
+ * @experimental in Symfony 5.2
+ */
+final class DefaultLoginRateLimiter extends AbstractRequestRateLimiter
+{
+    private $globalLimiter;
+    private $localLimiter;
+
+    public function __construct(Limiter $globalLimiter, Limiter $localLimiter)
+    {
+        $this->globalLimiter = $globalLimiter;
+        $this->localLimiter = $localLimiter;
+    }
+
+    protected function getLimiters(Request $request): array
+    {
+        return [
+            $this->globalLimiter->create($request->getClientIp()),
+            $this->localLimiter->create($request->attributes->get(Security::LAST_USERNAME).$request->getClientIp()),
+        ];
+    }
+}

Tests/EventListener/LoginThrottlingListenerTest.php

@@ -24,6 +24,7 @@
 use Symfony\Component\Security\Http\Event\CheckPassportEvent;
 use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
 use Symfony\Component\Security\Http\EventListener\LoginThrottlingListener;
+use Symfony\Component\Security\Http\RateLimiter\DefaultLoginRateLimiter;
 
 class LoginThrottlingListenerTest extends TestCase
 {
@@ -34,17 +35,24 @@ protected function setUp(): void
     {
         $this->requestStack = new RequestStack();
 
-        $limiter = new Limiter([
+        $localLimiter = new Limiter([
             'id' => 'login',
             'strategy' => 'fixed_window',
             'limit' => 3,
             'interval' => '1 minute',
         ], new InMemoryStorage());
+        $globalLimiter = new Limiter([
+            'id' => 'login',
+            'strategy' => 'fixed_window',
+            'limit' => 6,
+            'interval' => '1 minute',
+        ], new InMemoryStorage());
+        $limiter = new DefaultLoginRateLimiter($globalLimiter, $localLimiter);
 
         $this->listener = new LoginThrottlingListener($this->requestStack, $limiter);
     }
 
-    public function testPreventsLoginWhenOverThreshold()
+    public function testPreventsLoginWhenOverLocalThreshold()
     {
         $request = $this->createRequest();
         $passport = $this->createPassport('wouter');
@@ -59,21 +67,19 @@ public function testPreventsLoginWhenOverThreshold()
         $this->listener->checkPassport($this->createCheckPassportEvent($passport));
     }
 
-    public function testSuccessfulLoginResetsCount()
+    public function testPreventsLoginWhenOverGlobalThreshold()
     {
-        $this->expectNotToPerformAssertions();
-
         $request = $this->createRequest();
-        $passport = $this->createPassport('wouter');
+        $passports = [$this->createPassport('wouter'), $this->createPassport('ryan')];
 
         $this->requestStack->push($request);
 
-        for ($i = 0; $i < 3; ++$i) {
-            $this->listener->checkPassport($this->createCheckPassportEvent($passport));
+        for ($i = 0; $i < 6; ++$i) {
+            $this->listener->checkPassport($this->createCheckPassportEvent($passports[$i % 2]));
         }
 
-        $this->listener->onSuccessfulLogin($this->createLoginSuccessfulEvent($passport));
-        $this->listener->checkPassport($this->createCheckPassportEvent($passport));
+        $this->expectException(TooManyLoginAttemptsAuthenticationException::class);
+        $this->listener->checkPassport($this->createCheckPassportEvent($passports[0]));
     }
 
     private function createPassport($username)

composer.json

@@ -19,7 +19,7 @@
         "php": ">=7.2.5",
         "symfony/deprecation-contracts": "^2.1",
         "symfony/security-core": "^5.2",
-        "symfony/http-foundation": "^4.4.7|^5.0.7",
+        "symfony/http-foundation": "^5.2",
         "symfony/http-kernel": "^5.2",
         "symfony/polyfill-php80": "^1.15",
         "symfony/property-access": "^4.4|^5.0"