Nextcloud PHP API (master)

IThrottler
in

Class Throttler implements the bruteforce protection for security actions in Nextcloud.

It is working by logging invalid login attempts to the database and slowing down all login attempts from the same subnet. The max delay is 30 seconds and the starting delay are 200 milliseconds. (after the first failed login)

This is based on Paragonie's AirBrake for Airship CMS. You can find the original code at https://github.com/paragonie/airship/blob/7e5bad7e3c0fbbf324c11f963fd1f80e59762606/src/Engine/Security/AirBrake.php

Tags
since
25.0.0

Table of Contents

Constants

MAX_ATTEMPTS  = 10
MAX_DELAY  = 25
MAX_DELAY_MS  = 25000

Methods

getAttempts()  : int
Get the throttling delay (in milliseconds)
getDelay()  : int
Get the throttling delay (in milliseconds)
isBypassListed()  : bool
Check if the IP is allowed to bypass the brute force protection
registerAttempt()  : void
Register a failed attempt to bruteforce a security control
resetDelay()  : void
Reset the throttling delay for an IP address, action and metadata
resetDelayForIP()  : void
Reset the throttling delay for an IP address
showBruteforceWarning()  : bool
Whether a warning should be shown about the throttle
sleepDelay()  : int
Will sleep for the defined amount of time
sleepDelayOrThrowOnMax()  : int
Will sleep for the defined amount of time unless maximum was reached in the last 30 minutes In this case a "429 Too Many Request" exception is thrown

Constants

MAX_ATTEMPTS

public mixed MAX_ATTEMPTS = 10
Tags
since
25.0.0

MAX_DELAY

public mixed MAX_DELAY = 25
Tags
since
25.0.0

MAX_DELAY_MS

public mixed MAX_DELAY_MS = 25000
Tags
since
25.0.0

Methods

getAttempts()

Get the throttling delay (in milliseconds)

public getAttempts(string $ip[, string $action = '' ][, float $maxAgeHours = 12 ]) : int

This method is considered internal as of Nextcloud 28. Use showBruteforceWarning() to decide whether a warning should be shown.

Parameters
$ip : string
$action : string = ''

optionally filter by action

$maxAgeHours : float = 12
Tags
since
25.0.0
Return values
int

getDelay()

Get the throttling delay (in milliseconds)

public getDelay(string $ip[, string $action = '' ]) : int

This method is considered internal as of Nextcloud 28. Use showBruteforceWarning() to decide whether a warning should be shown.

Parameters
$ip : string
$action : string = ''

optionally filter by action

Tags
since
25.0.0
Return values
int

isBypassListed()

Check if the IP is allowed to bypass the brute force protection

public isBypassListed(string $ip) : bool
Parameters
$ip : string
Tags
since
28.0.0
Return values
bool

registerAttempt()

Register a failed attempt to bruteforce a security control

public registerAttempt(string $action, string $ip[, array<string|int, mixed> $metadata = [] ]) : void
Parameters
$action : string
$ip : string
$metadata : array<string|int, mixed> = []

Optional metadata logged with the attempt

Tags
since
25.0.0

resetDelay()

Reset the throttling delay for an IP address, action and metadata

public resetDelay(string $ip, string $action, array<string|int, mixed> $metadata) : void
Parameters
$ip : string
$action : string
$metadata : array<string|int, mixed>
Tags
since
25.0.0

resetDelayForIP()

Reset the throttling delay for an IP address

public resetDelayForIP(string $ip) : void

This method is considered internal as of Nextcloud 28. Use resetDelay() and only reset the entries of your action and metadata

Parameters
$ip : string
Tags
since
25.0.0

showBruteforceWarning()

Whether a warning should be shown about the throttle

public showBruteforceWarning(string $ip[, string $action = '' ]) : bool
Parameters
$ip : string
$action : string = ''

optionally filter by action

Tags
since
28.0.0
Return values
bool

sleepDelay()

Will sleep for the defined amount of time

public sleepDelay(string $ip[, string $action = '' ]) : int

Use sleepDelayOrThrowOnMax() instead and abort handling the request when it throws

Parameters
$ip : string
$action : string = ''

optionally filter by action

Tags
since
25.0.0
Return values
int

the time spent sleeping

sleepDelayOrThrowOnMax()

Will sleep for the defined amount of time unless maximum was reached in the last 30 minutes In this case a "429 Too Many Request" exception is thrown

public sleepDelayOrThrowOnMax(string $ip[, string $action = '' ]) : int
Parameters
$ip : string
$action : string = ''

optionally filter by action

Tags
throws
MaxDelayReached

when reached the maximum

since
25.0.0
Return values
int

the time spent sleeping


        

        
    




    

    

                                

                

                            
    

        On this page

        
    


                

                            

            

    

        

            
Search results