libretic/etherpad-lite
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

webaccess: Always sleep for 1s before returning HTTP 401

Browse source 
Not all authentication plugins require the Authorization header, so it
might not be present in subsequent attempts. (In particular, a reverse
proxy might strip it.)
This commit is contained in:
Richard Hansen 2020-08-26 21:44:26 -04:00 committed by John McLear
parent 442fe1e86f
commit d4162341e7
1 changed files with 5 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
src/node/hooks/express/webaccess.js
View file

@ -35,17 +35,12 @@ exports.checkAccess = (req, res, next) => {
const failure = () => { const failure = () => {
return hooks.aCallFirst('authFailure', {req, res, next}, hookResultMangle((ok) => { return hooks.aCallFirst('authFailure', {req, res, next}, hookResultMangle((ok) => {
if (ok) return; if (ok) return;
/* No plugin handler for invalid auth. Return Auth required // No plugin handled the authn/authz failure. Fall back to basic authentication.
* Headers, delayed for 1 second, if authentication failed
* before. */
res.header('WWW-Authenticate', 'Basic realm="Protected Area"'); res.header('WWW-Authenticate', 'Basic realm="Protected Area"');
if (req.headers.authorization) { // Delay the error response for 1s to slow down brute force attacks.
setTimeout(() => { setTimeout(() => {
res.status(401).send('Authentication required'); res.status(401).send('Authentication Required');
}, 1000); }, 1000);
} else {
res.status(401).send('Authentication required');
}
})); }));
}; };