[Sécurité - Audit] Modifier la protection anti-brute force

config/packages/security.yaml

@@ -30,6 +30,9 @@ security:
             custom_authenticators:
                 - App\Security\JsonLoginAuthenticator
                 - App\Security\TokenAuthenticator
+            login_throttling:
+                max_attempts: 5 # '%env(int:FORMS_SUBMIT_LIMITER_LIMIT)%' doesnt work here: fails to cast str to int
+                interval: '%env(FORMS_SUBMIT_LIMITER_INTERVAL)%'
         main:
             lazy: true
             stateless: false
@@ -39,7 +42,7 @@ security:
                 auth_form_path: 2fa_login
                 check_path: 2fa_login_check
             login_throttling:
-                max_attempts: 10 # '%env(int:FORMS_SUBMIT_LIMITER_LIMIT)%' doesnt work here: fails to cast str to int
+                max_attempts: 5 # '%env(int:FORMS_SUBMIT_LIMITER_LIMIT)%' doesnt work here: fails to cast str to int
                 interval: '%env(FORMS_SUBMIT_LIMITER_INTERVAL)%'
             logout:
                 path: app_logout

src/Controller/Security/UserAccountController.php

@@ -32,7 +32,7 @@ public function requestLoginLink(
         RateLimiterFactory $loginActivationFormLimiter,
     ): Response {
         if ($request->isMethod('POST') && $email = $request->request->get('email')) {
-            $limiter = $loginActivationFormLimiter->create($request->getClientIp());
+            $limiter = $loginActivationFormLimiter->create($email);
             if (false === $limiter->consume(1)->isAccepted()) {
                 return $this->render('security/login_link_sent.html.twig', [
                     'title' => 'Lien d\'activation',
@@ -77,7 +77,7 @@ public function requestNewPass(
     ): Response {
         $title = 'Récupération de votre mot de passe';
         if ($request->isMethod('POST') && $email = $request->request->get('email')) {
-            $limiter = $loginPasswordFormLimiter->create($request->getClientIp());
+            $limiter = $loginPasswordFormLimiter->create($email);
             if (false === $limiter->consume(1)->isAccepted()) {
                 return $this->render('security/login_link_sent.html.twig', [
                     'title' => 'Lien de récupération',

src/Security/JsonLoginAuthenticator.php

@@ -92,8 +92,8 @@ public function onAuthenticationSuccess(Request $request, TokenInterface $token,
     public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
     {
         return new JsonResponse([
-            'error' => $this->translator->trans($exception->getMessageKey(), [], 'security'),
-            'message' => $this->translator->trans($exception->getMessage(), [], 'security'),
+            'error' => $this->translator->trans($exception->getMessageKey(), $exception->getMessageData(), 'security'),
+            'message' => $this->translator->trans($exception->getMessage(), $exception->getMessageData(), 'security'),
         ], Response::HTTP_UNAUTHORIZED);
     }
 }

src/Security/TokenAuthenticator.php

@@ -58,8 +58,8 @@ public function onAuthenticationSuccess(Request $request, TokenInterface $token,
     public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
     {
         return new JsonResponse([
-            'error' => $this->translator->trans($exception->getMessageKey(), [], 'security'),
-            'message' => $this->translator->trans($exception->getMessage(), [], 'security'),
+            'error' => $this->translator->trans($exception->getMessageKey(), $exception->getMessageData(), 'security'),
+            'message' => $this->translator->trans($exception->getMessage(), $exception->getMessageData(), 'security'),
         ], Response::HTTP_UNAUTHORIZED);
     }
 }