diff --git a/eZ/Bundle/EzPublishRestBundle/Resources/config/default_settings.yml b/eZ/Bundle/EzPublishRestBundle/Resources/config/default_settings.yml index 65a5a92e18e..d3212d2d926 100644 --- a/eZ/Bundle/EzPublishRestBundle/Resources/config/default_settings.yml +++ b/eZ/Bundle/EzPublishRestBundle/Resources/config/default_settings.yml @@ -84,3 +84,7 @@ parameters: refreshSession: mediaType: 'UserSession' href: 'templateRouter.generate("ezpublish_rest_refreshSession", {sessionId: "{sessionId}"})' + + # Boundary times in microseconds which the authentication check will be delayed by. + ezpublish_rest.authentication_min_delay_time: 30000 + ezpublish_rest.authentication_max_delay_time: 500000 diff --git a/eZ/Bundle/EzPublishRestBundle/Resources/config/security.yml b/eZ/Bundle/EzPublishRestBundle/Resources/config/security.yml index ab87f69b888..ed9a823c626 100644 --- a/eZ/Bundle/EzPublishRestBundle/Resources/config/security.yml +++ b/eZ/Bundle/EzPublishRestBundle/Resources/config/security.yml @@ -15,6 +15,8 @@ services: - "@ezpublish.config.resolver" - "@session.storage" - "@?logger" + - "%ezpublish_rest.authentication_min_delay_time%" + - "%ezpublish_rest.authentication_max_delay_time%" abstract: true ezpublish_rest.security.authentication.logout_handler: diff --git a/eZ/Publish/Core/REST/Server/Security/RestAuthenticator.php b/eZ/Publish/Core/REST/Server/Security/RestAuthenticator.php index 6e44f04ed5d..43cd9f80750 100644 --- a/eZ/Publish/Core/REST/Server/Security/RestAuthenticator.php +++ b/eZ/Publish/Core/REST/Server/Security/RestAuthenticator.php @@ -38,6 +38,10 @@ */ class RestAuthenticator implements ListenerInterface, AuthenticatorInterface { + const DEFAULT_MIN_SLEEP_VALUE = 30000; + + const DEFAULT_MAX_SLEEP_VALUE = 500000; + /** * @var \Psr\Log\LoggerInterface */ @@ -77,6 +81,16 @@ class RestAuthenticator implements ListenerInterface, AuthenticatorInterface */ private $logoutHandlers = []; + /** + * @var int|null + */ + private $minSleepTime; + + /** + * @var int|null + */ + private $maxSleepTime; + public function __construct( TokenStorageInterface $tokenStorage, AuthenticationManagerInterface $authenticationManager, @@ -84,7 +98,9 @@ public function __construct( EventDispatcherInterface $dispatcher, ConfigResolverInterface $configResolver, SessionStorageInterface $sessionStorage, - LoggerInterface $logger = null + LoggerInterface $logger = null, + $minSleepTime = self::DEFAULT_MIN_SLEEP_VALUE, + $maxSleepTime = self::DEFAULT_MAX_SLEEP_VALUE ) { $this->tokenStorage = $tokenStorage; $this->authenticationManager = $authenticationManager; @@ -93,6 +109,8 @@ public function __construct( $this->configResolver = $configResolver; $this->sessionStorage = $sessionStorage; $this->logger = $logger; + $this->minSleepTime = !is_int($minSleepTime) ? self::DEFAULT_MIN_SLEEP_VALUE : $minSleepTime; + $this->maxSleepTime = !is_int($maxSleepTime) ? self::DEFAULT_MAX_SLEEP_VALUE : $maxSleepTime; } /** @@ -107,6 +125,8 @@ public function handle(GetResponseEvent $event) public function authenticate(Request $request) { + usleep(random_int($this->minSleepTime, $this->maxSleepTime)); + // If a token already exists and username is the same as the one we request authentication for, // then return it and mark it as coming from session. $previousToken = $this->tokenStorage->getToken(); diff --git a/eZ/Publish/Core/Repository/UserService.php b/eZ/Publish/Core/Repository/UserService.php index 06e8e63acf6..7496a64227c 100644 --- a/eZ/Publish/Core/Repository/UserService.php +++ b/eZ/Publish/Core/Repository/UserService.php @@ -572,7 +572,7 @@ public function loadUserByCredentials($login, $password, array $prioritizedLangu throw new InvalidArgumentValue('login', $login); } - if (!is_string($password)) { + if (!is_string($password) && $password !== null) { throw new InvalidArgumentValue('password', $password); }