DefaultLoginRateLimiter.php 1.4 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647
  1. <?php
  2. /*
  3. * This file is part of the Symfony package.
  4. *
  5. * (c) Fabien Potencier <fabien@symfony.com>
  6. *
  7. * For the full copyright and license information, please view the LICENSE
  8. * file that was distributed with this source code.
  9. */
  10. namespace Symfony\Component\Security\Http\RateLimiter;
  11. use Symfony\Component\HttpFoundation\RateLimiter\AbstractRequestRateLimiter;
  12. use Symfony\Component\HttpFoundation\Request;
  13. use Symfony\Component\RateLimiter\RateLimiterFactory;
  14. use Symfony\Component\Security\Core\Security;
  15. /**
  16. * A default login throttling limiter.
  17. *
  18. * This limiter prevents breadth-first attacks by enforcing
  19. * a limit on username+IP and a (higher) limit on IP.
  20. *
  21. * @author Wouter de Jong <wouter@wouterj.nl>
  22. *
  23. * @experimental in 5.2
  24. */
  25. final class DefaultLoginRateLimiter extends AbstractRequestRateLimiter
  26. {
  27. private $globalFactory;
  28. private $localFactory;
  29. public function __construct(RateLimiterFactory $globalFactory, RateLimiterFactory $localFactory)
  30. {
  31. $this->globalFactory = $globalFactory;
  32. $this->localFactory = $localFactory;
  33. }
  34. protected function getLimiters(Request $request): array
  35. {
  36. return [
  37. $this->globalFactory->create($request->getClientIp()),
  38. $this->localFactory->create($request->attributes->get(Security::LAST_USERNAME).'-'.$request->getClientIp()),
  39. ];
  40. }
  41. }