On Monday 02 November 2009 16:31:56 Josef Reidinger wrote:
> ref: refs/heads/master
> commit 4f74fe5c2ec8c1927b9ebac0073e5b703fb484df
> Author: Josef Reidinger <[email protected]>
> Date: Mon Nov 2 16:24:21 2009 +0100
>
> add Brute force protection
> ---
> webservice/app/controllers/sessions_controller.rb | 6 ++-
> webservice/lib/brute_force_protection.rb | 63
> ++++++++++++++++++++ webservice/package/yast2-webservice.changes |
> 5 ++
> .../test/unit/brute_force_protection_test.rb | 33 ++++++++++
> 4 files changed, 106 insertions(+), 1 deletions(-)
>
> diff --git a/webservice/app/controllers/sessions_controller.rb
> b/webservice/app/controllers/sessions_controller.rb index 86295c2..d88f3e0
> 100644
> --- a/webservice/app/controllers/sessions_controller.rb
> +++ b/webservice/app/controllers/sessions_controller.rb
> @@ -34,7 +34,10 @@ class SessionsController < ApplicationController
> self.current_account = Account.authenticate(params[:login],
> params[:password]) end
> @cmd_ret = Hash.new
> - if logged_in?
> + if BruteForceProtection.instance.blocked?
> + @cmd_ret["login"] = "blocked"
> + @cmd_ret["remain"] = BruteForceProtection.instance.last_fail +
> BruteForceProtection::BAN_TIMEOUT + elsif logged_in?
> if params[:remember_me]
> current_account.remember_me unless current_account.remember_token?
> cookies[:auth_token] = { :value =>
> self.current_account.remember_token , :expires =>
> self.current_account.remember_token_expires_at } @@ -44,6 +47,7 @@ class
> SessionsController < ApplicationController @cmd_ret["auth_token"] = {
> :value => self.current_account.remember_token , :expires =>
> self.current_account.remember_token_expires_at } else
> @cmd_ret["login"] = "denied"
> + BruteForceProtection.instance.fail_attempt
> end
> end
>
> diff --git a/webservice/lib/brute_force_protection.rb
> b/webservice/lib/brute_force_protection.rb new file mode 100644
> index 0000000..b5fc899
> --- /dev/null
> +++ b/webservice/lib/brute_force_protection.rb
> @@ -0,0 +1,63 @@
> +# == Brute force Protection class
> +# === Overview
> +#
> +# Singleton class thant remember fail attempts to log to REST-SERVICE.
> +# After specified time period is failed attemps cleared.
> +#
> +# === Usage
> +#
> +# When user tries to login ensure that it is not blocked by
> BruteForceProtection.instance.blocked? +# When user failed to login call
> BruteForceProtection.instance.fail_attempt +
> +class BruteForceProtection
> + include Singleton
> +
Maybe I misunderstood the code, but using Singleton module will not preserve
the instance between requests. Just try to create a simple Singleton counter
and view it a few times in some controller.
Singletons are regular instances of regular ruby class. The only difference
is, that you can make (new) only one of them. But they are lost at the end of
request like any other instance.
For storing values between requests AFAIK only database and module namespace
hacks work. I don't have anything against storing values in module namespace,
but I suggest doing it readable. For instance by writing some "ModuleStorage"
class/module whose only purpose would be to store and retrieve values using
module namespace.
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
