From 8b0acb5035b548ad5a4d738cbb206eb1524c3c6b Mon Sep 17 00:00:00 2001
From: numew <numabord@gmail.com>
Date: Wed, 5 Feb 2025 16:08:13 +0100
Subject: [PATCH] brut force improvements  #3559

---
 config/packages/security.yaml                     | 5 ++++-
 src/Controller/Security/UserAccountController.php | 4 ++--
 src/Security/JsonLoginAuthenticator.php           | 4 ++--
 src/Security/TokenAuthenticator.php               | 4 ++--
 4 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index 4c9f65272..059e27312 100755
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -30,6 +30,9 @@ security:
             custom_authenticators:
                 - App\Security\JsonLoginAuthenticator
                 - App\Security\TokenAuthenticator
+            login_throttling:
+                max_attempts: 5 # '%env(int:FORMS_SUBMIT_LIMITER_LIMIT)%' doesnt work here: fails to cast str to int
+                interval: '%env(FORMS_SUBMIT_LIMITER_INTERVAL)%'
         main:
             lazy: true
             stateless: false
@@ -39,7 +42,7 @@ security:
                 auth_form_path: 2fa_login
                 check_path: 2fa_login_check
             login_throttling:
-                max_attempts: 10 # '%env(int:FORMS_SUBMIT_LIMITER_LIMIT)%' doesnt work here: fails to cast str to int
+                max_attempts: 5 # '%env(int:FORMS_SUBMIT_LIMITER_LIMIT)%' doesnt work here: fails to cast str to int
                 interval: '%env(FORMS_SUBMIT_LIMITER_INTERVAL)%'
             logout:
                 path: app_logout
diff --git a/src/Controller/Security/UserAccountController.php b/src/Controller/Security/UserAccountController.php
index 975e755e9..1537a6fde 100755
--- a/src/Controller/Security/UserAccountController.php
+++ b/src/Controller/Security/UserAccountController.php
@@ -32,7 +32,7 @@ public function requestLoginLink(
         RateLimiterFactory $loginActivationFormLimiter,
     ): Response {
         if ($request->isMethod('POST') && $email = $request->request->get('email')) {
-            $limiter = $loginActivationFormLimiter->create($request->getClientIp());
+            $limiter = $loginActivationFormLimiter->create($email);
             if (false === $limiter->consume(1)->isAccepted()) {
                 return $this->render('security/login_link_sent.html.twig', [
                     'title' => 'Lien d\'activation',
@@ -77,7 +77,7 @@ public function requestNewPass(
     ): Response {
         $title = 'Récupération de votre mot de passe';
         if ($request->isMethod('POST') && $email = $request->request->get('email')) {
-            $limiter = $loginPasswordFormLimiter->create($request->getClientIp());
+            $limiter = $loginPasswordFormLimiter->create($email);
             if (false === $limiter->consume(1)->isAccepted()) {
                 return $this->render('security/login_link_sent.html.twig', [
                     'title' => 'Lien de récupération',
diff --git a/src/Security/JsonLoginAuthenticator.php b/src/Security/JsonLoginAuthenticator.php
index 01256ca98..63b58223d 100644
--- a/src/Security/JsonLoginAuthenticator.php
+++ b/src/Security/JsonLoginAuthenticator.php
@@ -92,8 +92,8 @@ public function onAuthenticationSuccess(Request $request, TokenInterface $token,
     public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
     {
         return new JsonResponse([
-            'error' => $this->translator->trans($exception->getMessageKey(), [], 'security'),
-            'message' => $this->translator->trans($exception->getMessage(), [], 'security'),
+            'error' => $this->translator->trans($exception->getMessageKey(), $exception->getMessageData(), 'security'),
+            'message' => $this->translator->trans($exception->getMessage(), $exception->getMessageData(), 'security'),
         ], Response::HTTP_UNAUTHORIZED);
     }
 }
diff --git a/src/Security/TokenAuthenticator.php b/src/Security/TokenAuthenticator.php
index 860f2372b..acbb2012e 100644
--- a/src/Security/TokenAuthenticator.php
+++ b/src/Security/TokenAuthenticator.php
@@ -58,8 +58,8 @@ public function onAuthenticationSuccess(Request $request, TokenInterface $token,
     public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
     {
         return new JsonResponse([
-            'error' => $this->translator->trans($exception->getMessageKey(), [], 'security'),
-            'message' => $this->translator->trans($exception->getMessage(), [], 'security'),
+            'error' => $this->translator->trans($exception->getMessageKey(), $exception->getMessageData(), 'security'),
+            'message' => $this->translator->trans($exception->getMessage(), $exception->getMessageData(), 'security'),
         ], Response::HTTP_UNAUTHORIZED);
     }
 }