add: rate limit for Login (+check Signup Limit earlier)

fixes #37

Change-Id: I5927fb2c07e8eb481e03ba445110a4852e60e713

diff --git a/src/org/cacert/gigi/pages/LoginPage.java b/src/org/cacert/gigi/pages/LoginPage.java
index 97a0c29f313d5b89b9999f99f46afb25562aba90..141c6ca18cc6466ffae0248458347b10511228f7 100644 (file)
--- a/src/org/cacert/gigi/pages/LoginPage.java
+++ b/src/org/cacert/gigi/pages/LoginPage.java
@@ -21,12 +21,16 @@ import org.cacert.gigi.dbObjects.User;
 import org.cacert.gigi.localisation.Language;
 import org.cacert.gigi.output.template.Form;
 import org.cacert.gigi.output.template.TranslateCommand;
+import org.cacert.gigi.pages.main.RegisterPage;
 import org.cacert.gigi.util.AuthorizationContext;
 import org.cacert.gigi.util.PasswordHash;
+import org.cacert.gigi.util.RateLimit;
 import org.cacert.gigi.util.ServerConstants;
 
 public class LoginPage extends Page {
 
+    public static final RateLimit RATE_LIMIT = new RateLimit(10, 5 * 60 * 1000);
+
     public class LoginForm extends Form {
 
         public LoginForm(HttpServletRequest hsr) {
@@ -35,6 +39,10 @@ public class LoginPage extends Page {
 
         @Override
         public boolean submit(PrintWriter out, HttpServletRequest req) throws GigiApiException {
+            if (RegisterPage.RATE_LIMIT.isLimitExceeded(req.getRemoteAddr())) {
+                outputError(out, req, "Rate Limit Exceeded");
+                return false;
+            }
             tryAuthWithUnpw(req);
             return false;
         }

diff --git a/src/org/cacert/gigi/pages/main/RegisterPage.java b/src/org/cacert/gigi/pages/main/RegisterPage.java
index 4bc2cd957fa9b7d6e0e0c88cffbf0392cc5bba09..1e6b33783ee3b89c47c3e602cb90b0196bb949a8 100644 (file)
--- a/src/org/cacert/gigi/pages/main/RegisterPage.java
+++ b/src/org/cacert/gigi/pages/main/RegisterPage.java
@@ -19,7 +19,7 @@ public class RegisterPage extends Page {
 
     public static final String PATH = "/register";
 
-    // 5 per 5 min
+    // 50 per 5 min
     public static final RateLimit RATE_LIMIT = new RateLimit(50, 5 * 60 * 1000);
 
     public RegisterPage() {

diff --git a/src/org/cacert/gigi/pages/main/Signup.java b/src/org/cacert/gigi/pages/main/Signup.java
index 0b9abb73f3d6975bddc9e5e104cbcea7312f0486..d341df280f237ed2417d406c47f5570431211b20 100644 (file)
--- a/src/org/cacert/gigi/pages/main/Signup.java
+++ b/src/org/cacert/gigi/pages/main/Signup.java
@@ -93,6 +93,11 @@ public class Signup extends Form {
 
     @Override
     public synchronized boolean submit(PrintWriter out, HttpServletRequest req) {
+        if (RegisterPage.RATE_LIMIT.isLimitExceeded(req.getRemoteAddr())) {
+            outputError(out, req, "Rate Limit Exceeded");
+            return false;
+        }
+
         update(req);
         if (buildupName.getLname().trim().equals("")) {
             outputError(out, req, "Last name were blank.");
@@ -164,10 +169,6 @@ public class Signup extends Form {
         if (isFailed(out)) {
             return false;
         }
-        if (RegisterPage.RATE_LIMIT.isLimitExceeded(req.getRemoteAddr())) {
-            outputError(out, req, "Rate Limit Exceeded");
-            return false;
-        }
         try {
             run(req, pw1);
         } catch (SQLException e) {

diff --git a/tests/org/cacert/gigi/pages/account/TestMailManagement.java b/tests/org/cacert/gigi/pages/account/TestMailManagement.java
index 412e2d78a1e98da97839fbd081b659b3777d50a2..958954a36cfa0d7ab5a9c884f4846cc4182164b3 100644 (file)
--- a/tests/org/cacert/gigi/pages/account/TestMailManagement.java
+++ b/tests/org/cacert/gigi/pages/account/TestMailManagement.java
@@ -21,6 +21,7 @@ public class TestMailManagement extends ClientTest {
     private String path = MailOverview.DEFAULT_PATH;
 
     public TestMailManagement() throws IOException {
+        clearCaches(); // and reset rate limits
         cookie = login(u.getEmail(), TEST_PASSWORD);
         assertTrue(isLoggedin(cookie));
     }

diff --git a/tests/org/cacert/gigi/pages/wot/TestAssurance.java b/tests/org/cacert/gigi/pages/wot/TestAssurance.java
index 260a88bdda720a0f079a136f59d26c2245ebeca1..d626cee0a3e55c18a37c0efd39473df368cc07ae 100644 (file)
--- a/tests/org/cacert/gigi/pages/wot/TestAssurance.java
+++ b/tests/org/cacert/gigi/pages/wot/TestAssurance.java
@@ -31,6 +31,7 @@ public class TestAssurance extends ManagedTest {
 
     @Before
     public void setup() throws IOException {
+        clearCaches();
         assurerM = createUniqueName() + "@cacert-test.org";
         assureeM = createUniqueName() + "@cacert-test.org";
 

diff --git a/util-testing/org/cacert/gigi/DevelLauncher.java b/util-testing/org/cacert/gigi/DevelLauncher.java
index 5c292fab2d2b3ea965b6b16a83efd21a762ef427..f84d728ba487acb282c9c6185c565780ea95e6b4 100644 (file)
--- a/util-testing/org/cacert/gigi/DevelLauncher.java
+++ b/util-testing/org/cacert/gigi/DevelLauncher.java
@@ -32,6 +32,7 @@ import org.cacert.gigi.dbObjects.User;
 import org.cacert.gigi.localisation.Language;
 import org.cacert.gigi.output.template.Template;
 import org.cacert.gigi.output.template.TranslateCommand;
+import org.cacert.gigi.pages.LoginPage;
 import org.cacert.gigi.pages.Page;
 import org.cacert.gigi.pages.account.certs.CertificateRequest;
 import org.cacert.gigi.pages.main.RegisterPage;
@@ -130,6 +131,7 @@ public class DevelLauncher {
                 public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
                     ObjectCache.clearAllCaches();
                     RegisterPage.RATE_LIMIT.bypass();
+                    LoginPage.RATE_LIMIT.bypass();
                     CertificateRequest.RATE_LIMIT.bypass();
                     resp.getWriter().println("All caches cleared.");
                     System.out.println("Caches cleared.");