From 9fa813367fb4d94d499c40e478da55523f9915b7 Mon Sep 17 00:00:00 2001
From: Petr Ilin <hevav@hevav.dev>
Date: Sun, 25 Dec 2022 21:49:37 +0300
Subject: Ban IP on bruteforce attempts

---
 .../net/elytrium/limboauth/handler/AuthSessionHandler.java   | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'src/main/java/net/elytrium/limboauth/handler')

diff --git a/src/main/java/net/elytrium/limboauth/handler/AuthSessionHandler.java b/src/main/java/net/elytrium/limboauth/handler/AuthSessionHandler.java
index 2ea17e0..9c6185f 100644
--- a/src/main/java/net/elytrium/limboauth/handler/AuthSessionHandler.java
+++ b/src/main/java/net/elytrium/limboauth/handler/AuthSessionHandler.java
@@ -240,6 +240,7 @@ public class AuthSessionHandler implements LimboSessionHandler {
           }
         } else if (--this.attempts != 0) {
           this.proxyPlayer.sendMessage(loginWrongPassword[this.attempts - 1]);
+          this.checkBruteforceAttempts();
         } else {
           this.proxyPlayer.disconnect(loginWrongPasswordKick);
         }
@@ -249,6 +250,8 @@ public class AuthSessionHandler implements LimboSessionHandler {
         if (TOTP_CODE_VERIFIER.isValidCode(this.playerInfo.getTotpToken(), args[1])) {
           this.finishLogin();
           return;
+        } else {
+          this.checkBruteforceAttempts();
         }
       }
     }
@@ -256,6 +259,13 @@ public class AuthSessionHandler implements LimboSessionHandler {
     this.sendMessage(false);
   }
 
+  private void checkBruteforceAttempts() {
+    this.plugin.incrementBruteforceAttempts(this.proxyPlayer.getRemoteAddress().getAddress());
+    if (this.plugin.getBruteforceAttempts(this.proxyPlayer.getRemoteAddress().getAddress()) >= Settings.IMP.MAIN.BRUTEFORCE_MAX_ATTEMPTS) {
+      this.proxyPlayer.disconnect(loginWrongPasswordKick);
+    }
+  }
+
   private void saveTempPassword(String password) {
     this.tempPassword = password;
   }
@@ -333,6 +343,8 @@ public class AuthSessionHandler implements LimboSessionHandler {
       this.proxyPlayer.showTitle(loginSuccessfulTitle);
     }
 
+    this.plugin.clearBruteforceAttempts(this.proxyPlayer.getRemoteAddress().getAddress());
+
     this.plugin.getServer().getEventManager()
         .fire(new PostAuthorizationEvent(this::finishAuth, this.player, this.playerInfo, this.tempPassword))
         .thenAcceptAsync(this::finishAuth);
-- 
cgit