Merge pull request #7787 from zmstone/0426-bad-password-penalty

fix: add 2 seconds delay penalty for bad logins

lib-ce/emqx_dashboard/src/emqx_dashboard_admin.erl

@@ -183,13 +183,21 @@ check(Username, Password) ->
     case lookup_user(Username) of
         [#mqtt_admin{password = PwdHash}] ->
             case is_valid_pwd(PwdHash, Password) of
-                true  -> ok;
+                true  ->
-                false -> {error, <<"Username/Password error">>}
+                    ok;
+                false ->
+                    ok = bad_login_penalty(),
+                    {error, <<"Username/Password error">>}
             end;
         [] ->
+            ok = bad_login_penalty(),
             {error, <<"Username/Password error">>}
     end.
 
+bad_login_penalty() ->
+    timer:sleep(2000),
+    ok.
+
 is_valid_pwd(<<Salt:4/binary, Hash/binary>>, Password) ->
     Hash =:= md5_hash(Salt, Password).