From 8d469ab32e51def0792206f0d7e36cc35c906c9c Mon Sep 17 00:00:00 2001
From: Jos Groot Lipman <jos.grootlipman@aareon.nl>
Date: Mon, 27 Mar 2017 09:48:22 +0000
Subject: [PATCH] FSN#39980 Inlog brute force protection (hardcoded settings)

svn path=/Website/branches/v2016.3/; revision=33264
---
 APPL/FAC/fac_verify.inc |  2 +-
 APPL/Shared/Login.inc   | 76 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+), 1 deletion(-)

diff --git a/APPL/FAC/fac_verify.inc b/APPL/FAC/fac_verify.inc
index 6d7921a413..a8451838f5 100644
--- a/APPL/FAC/fac_verify.inc
+++ b/APPL/FAC/fac_verify.inc
@@ -1492,7 +1492,7 @@ function DumpCollection(pCollection, title)
         var line = "<tr><td>" + pCollection.key(i); // + " type: " + typeof pCollection(i) + " cons: " + pCollection(i).constructor
         if (typeof pCollection(i) != "object" || pCollection(i) === null || !pCollection.HasKeys)
         {
-            line += "</td><td>" + Server.HTMLEncode(String(pCollection(i)))
+            line += "</td><td>" + Server.HTMLEncode(String(pCollection(i))).replace(/\n/g, "<br>");
         }
         else
         {
diff --git a/APPL/Shared/Login.inc b/APPL/Shared/Login.inc
index 0f10508261..96b8e083be 100644
--- a/APPL/Shared/Login.inc
+++ b/APPL/Shared/Login.inc
@@ -556,6 +556,64 @@ function tryLogin(username, wachtwoord, params)
     if (username.indexOf("\\") > -1)
         username = username.split("\\")[1]; // strip domain name
 
+    // Brute force protection
+    S_login_attempts = 5;            // daarboven lockout
+    S_login_lockout_delay = 0.2;     // zoveel seconde * 2^attempts
+    S_login_lockout_delayfactor = 2; // De basis van de delay-groei
+    S_login_lockout_expire = 15;     // zoveel minuten
+
+    var lockout_name = customerId + "_LOGINATTEMPTS";
+    var dtExpire = new Date();
+    dtExpire.setMinutes(dtExpire.getMinutes() - S_login_lockout_expire);
+
+    Application.Lock();
+    {
+        var lockout = myJSON.parse(Application(lockout_name) || "[]");
+        var found = 0;
+        for (var i = 0; i < lockout.length; i++)
+        {
+            var lockdata = lockout[i];
+            if (lockdata.lastdate < dtExpire) // Als laatste fout poging 15 minuten geleden is vergeten we alles
+            {
+                lockout.splice(i, 1); // verwijderen
+                i--;
+                continue;
+            }
+            if (lockdata.username == username.toLowerCase())
+            {
+                found = true;
+                lockdata.count ++;
+                lockdata.lastdate = new Date();
+            }
+        }
+        if (!found)
+        {
+            lockdata = { username: username.toLowerCase(),
+                         count: 1,
+                         firstdate: new Date(),
+                         lastdate: new Date()
+                       }
+            lockout.push(lockdata);
+        }
+        Application(lockout_name) = JSON.stringify(lockout).replace(/\{/g, "\n{");
+    }
+    Application.UnLock();
+
+    if (lockdata.count > S_login_attempts)
+    {
+        var dtRetry = new Date();
+        dtRetry.setMinutes(dtRetry.getMinutes() + S_login_lockout_expire);
+        login_fail_reason = "To many failed login attempts for {0}.\nPlease wait until {1} before trying again.".format(username, toISODateTimeString(dtRetry));
+        return false;
+    }
+    if (lockdata.count > 1)
+    {
+        var oSLNKDWF = new ActiveXObject("SLNKDWF.About");
+        // maximaal 80 seconde slapen, anders ASP-timeout
+        var sleepsec = Math.min(80, S_login_lockout_delay * Math.pow(S_login_lockout_delayfactor, lockdata.count - 1));
+        oSLNKDWF.Sleep(1000 * sleepsec);
+    }
+
     var logins = [];
     if (S("login_use_email"))
     {
@@ -618,6 +676,24 @@ function tryLogin(username, wachtwoord, params)
         /* global */ otp_user_key = oRs("prs_perslid_key").Value;
 
     oRs.Close();
+
+    if (user_key > 0)
+    {   // Success! Wis eventuele lockout
+        Application.Lock();
+        var lockout = myJSON.parse(Application(lockout_name) || "[]");
+        for (var i = 0; i < lockout.length; i++)
+        {
+            var lockdata = lockout[i];
+            if (lockdata.username == username.toLowerCase())
+            {
+                lockout.splice(i, 1); // verwijderen
+                i--;
+            }
+        }
+        Application(lockout_name) = JSON.stringify(lockout);
+        Application.UnLock();
+    }
+
     return true;
 }