Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

if a failed login attempt comes from an API request, mark it as from the API in the brute force log #17768

Closed
wants to merge 1 commit into from
Closed

if a failed login attempt comes from an API request, mark it as from the API in the brute force log #17768

wants to merge 1 commit into from

Conversation

diosmosis
Copy link
Member

Description:

For debugging purposes it could be helpful to see what entries are from API requests (as opposed to login requests and tracker API requests).

Review

  • Functional review done
  • Potential edge cases thought about (behavior of the code with strange input, with strange internal state or possible interactions with other Matomo subsystems)
  • Usability review done (is anything maybe unclear or think about anything that would cause people to reach out to support)
  • Security review done see checklist
  • Code review done
  • Tests were added if useful/possible
  • Reviewed for breaking changes
  • Developer changelog updated if needed
  • Documentation added if needed
  • Existing documentation updated if needed

@diosmosis diosmosis added the Needs Review PRs that need a code review label Jul 14, 2021
sgiehl
sgiehl previously approved these changes Jul 14, 2021
View reviewed changes
tsteur
tsteur reviewed Jul 14, 2021
View reviewed changes
plugins/Login/Security/BruteForceDetection.php
@@ -68,6 +71,10 @@ public function isEnabled()

public function addFailedAttempt($ipAddress, $login = null)
{
if (empty($login) && Request::isRootRequestApiRequest()) {
$login = self::API_LOGIN_PLACEHOLDER;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would this cause any issue when there is an API call and it maybe searches for isUserLoginBlocked(null)? Could there be other side effects?

Maybe generally when login is null it's likely API anyway?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would this cause any issue when there is an API call and it maybe searches for isUserLoginBlocked(null)? Could there be other side effects?

I don't think it's expected to search for isUserLoginBlocked(null). The query that searches for logins uses login = ? not login is NULL so I wouldn't expect that work anyway.

Maybe generally when login is null it's likely API anyway?

I think it could also be a tracker request?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Possible re tracking request 👍 . Generally, I think it be better to add a column source or something similar just to prevent random side effects or bugs. If I see this right indeed isUserLoginBlocked is only called when there is a login so far. It just could also cause maybe side effects in the future as it may not be expected behaviour to have a login set where there is none and generally it's maybe not too important of an issue to introduce possible side effects in the future?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A source column would probably be better. We could put the api method/module there as well. It wouldn't take too long to add, I'll look into it tomorrow.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

btw @diosmosis as the issue is not too high priority we could also just close the PR and work on it another day

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It won't take very long, I'll get to it when I have some time.

@github-actions
Copy link
Contributor

This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers

@github-actions github-actions bot added the Stale The label used by the Close Stale Issues action label Jul 28, 2021
@sgiehl sgiehl dismissed their stale review July 28, 2021 07:25

new requirements

@sgiehl sgiehl added Pull Request WIP Indicates the current pull request is still work in progress and not ready yet for a review. and removed Needs Review PRs that need a code review Stale The label used by the Close Stale Issues action labels Jul 28, 2021
@github-actions
Copy link
Contributor

If you don't want this PR to be closed automatically in 28 days then you need to assign the label 'Do not close'.

@github-actions github-actions bot added the Stale The label used by the Close Stale Issues action label Aug 12, 2021
@tsteur
Copy link
Member

tsteur commented Aug 12, 2021

not needed for now

@tsteur tsteur closed this Aug 12, 2021
@sgiehl sgiehl deleted the brute-force-log-api-user branch April 5, 2023 16:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tsteur tsteur tsteur left review comments

@sgiehl sgiehl sgiehl left review comments

Assignees
No one assigned
Labels
Pull Request WIP Indicates the current pull request is still work in progress and not ready yet for a review. Stale The label used by the Close Stale Issues action
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@diosmosis @tsteur @sgiehl