a4526979c4
- Created RateLimitMiddleware class with 8 public methods * isLimited() - check if limit exceeded * incrementAttempt() - increment attempt counter * getRemainingAttempts() - get remaining attempts * getTimeRemaining() - get time remaining in window * reset() - reset counter after success * requireLimit() - check and die if exceeded * getStatus() - get status info for monitoring * Support for time-window based rate limiting - Integrated rate limiting into critical endpoints: * validate_login.php: 5 attempts per 900 seconds (15 minutes) * send_reset_link.php: 3 attempts per 1800 seconds (30 minutes) * Prevents brute force attacks and password reset abuse * Still increments counter for non-existent emails (prevents enumeration) - Integrated session regeneration on successful login: * Google OAuth login (both new and existing users) * Email/password login * Uses AuthenticationService::regenerateSession() * Prevents session fixation attacks - Rate limit counters stored in PHP session - Time-window based with 15-minute and 30-minute windows - Graceful error messages with retry_after in JSON responses - AJAX-aware error handling
2.4 KiB
2.4 KiB