From 9677a9f71777d75f3def0b0cb238050a30ec6a67 Mon Sep 17 00:00:00 2001
From: =Corey Hulen <corey@hulen.com>
Date: Wed, 29 Jul 2015 01:26:10 -0800
Subject: Fixes mm-1355 adds rate limiting apis

---
 api/user.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'api/user.go')

diff --git a/api/user.go b/api/user.go
index e1d5e83dd..94b4eca18 100644
--- a/api/user.go
+++ b/api/user.go
@@ -282,12 +282,26 @@ func LoginByEmail(c *Context, w http.ResponseWriter, r *http.Request, email, nam
 }
 
 func checkUserPassword(c *Context, user *model.User, password string) bool {
+
+	if user.FailedAttempts >= utils.Cfg.ServiceSettings.AllowedLoginAttempts {
+		c.LogAuditWithUserId(user.Id, "fail")
+		c.Err = model.NewAppError("checkUserPassword", "Your account is locked because of too many failed password attempts. Please reset your password.", "user_id="+user.Id)
+		c.Err.StatusCode = http.StatusForbidden
+		return false
+	}
+
 	if !model.ComparePassword(user.Password, password) {
 		c.LogAuditWithUserId(user.Id, "fail")
 		c.Err = model.NewAppError("checkUserPassword", "Login failed because of invalid password", "user_id="+user.Id)
 		c.Err.StatusCode = http.StatusForbidden
+
+		if result := <-Srv.Store.User().UpdateFailedPasswordAttempts(user.Id, user.FailedAttempts+1); result.Err != nil {
+			c.LogError(result.Err)
+		}
+
 		return false
 	}
+
 	return true
 }
 
-- 
cgit v1.2.3-1-g7c22