Merge pull request #7787 from zmstone/0426-bad-password-penalty

fix: add 2 seconds delay penalty for bad logins
2022-04-27 10:33:43 +01:00 · 2022-04-27 10:33:43 +01:00 · c5329d7f60
parent 0d43bd6243 4f45670725
commit c5329d7f60
1 changed files with 10 additions and 2 deletions
--- a/lib-ce/emqx_dashboard/src/emqx_dashboard_admin.erl
+++ b/lib-ce/emqx_dashboard/src/emqx_dashboard_admin.erl
@ -183,13 +183,21 @@ check(Username, Password) ->
    case lookup_user(Username) of
        [#mqtt_admin{password = PwdHash}] ->
            case is_valid_pwd(PwdHash, Password) of
-                true  -> ok;
-                false -> {error, <<"Username/Password error">>}
+                true  ->
+                    ok;
+                false ->
+                    ok = bad_login_penalty(),
+                    {error, <<"Username/Password error">>}
            end;
        [] ->
+            ok = bad_login_penalty(),
            {error, <<"Username/Password error">>}
    end.

+bad_login_penalty() ->
+    timer:sleep(2000),
+    ok.
+
 is_valid_pwd(<<Salt:4/binary, Hash/binary>>, Password) ->
    Hash =:= md5_hash(Salt, Password).