[SYSTEM_LOG] "Too many authentication attempts" beeing displayed

GregThib · 2021-10-15T14:12:54.617Z

Problem:
It seems that log-in to tt-rss call twice the check_password() function (with the uid of the user trying to login), and this result in a log message : “Too many authentication attempts for USER, throttled.”

Tests:
I tried to log in “no failure” mode (to avoid plugins to interact with the standard login behaviour).
I tried on an account with 2FA activated and another without.

tt-rss version:
v21.10-a936e8063 from git repos ; not a Docker installation

Platform (i.e. Linux distro, PHP, PostgreSQL, etc) versions:
Standard LAMP with php 7.4, Apache 2.4, MariaDB 10.x

Current debugging:
I added a short line of code to print backtrace, and it gives:

first call:

1. plugins/auth_internal/init.php(140): check_password(18, *edited*)
2. classes/auth/base.php(13): authenticate(test_user, *edited*, )
3. classes/pluginhost.php(198): hook_auth_user(test_user, *edited*, )
4. classes/userhelper.php(25): chain_hooks_callback(hook_auth_user, {Closure}, test_user, *edited*, )
5. classes/handler/public.php(362): authenticate(test_user, *edited*)
6. public.php(50): login()

second call:

1. classes/userhelper.php(326): check_password(18, password)
2. classes/rpc.php(447): is_default_password()
3. classes/rpc.php(196): _make_init_params()
4. backend.php(133): sanityCheck()

subsequently:

"Too many authentication attempts for test_user, throttled."

Do anyone report the same problem (in the system logs)?
Is there anything I don’t see anywhere?

Thanks for all kind of clue, if you have some.

fox · 2021-10-15T14:48:16.223Z

i’m not seeing this on a stock docker setup

i mean people would’ve noticed if nobody could login

martywd · 2021-10-15T16:33:56.172Z

I’ve see this too in the ‘Serverity: Everything’ logs on a non-docker install. But only with ‘admin’ logins! This log entry seems meaningless, since I can log in and out repeatedly as ‘admin’ without being ‘throttled’ or whatever?

idk?
.

fox · 2021-10-15T17:02:49.077Z

likely related to default password checking, which is limited to built in admin account, which tbh you shouldn’t be using regardless

e: log entry reported is harmless because second password check is not used to log you in, unless you try to login again properly right afterwards.

i could add a hack to work around this particular issue but i think a different approach is needed i.e. throttling should be applied elsewhere. there was a related thread:

https://community.tt-rss.org/t/subscribe-with-ttrss-android-app-doesnt-seem-to-work/4859/6

throttling should be applied someplace during actual login process, i suppose, not just password checking (whatever the reason), and only for unsuccessful login attempts.

on an unrelated note, vscode now seemingly works fine on wayland. yay.

martywd · 2021-10-15T18:13:20.558Z

fox:

likely related to default password checking, which is limited to built in admin account, which tbh you shouldn’t be using regardless

I’m likely misinterpreting what you saying here, but I’m not using the the default ‘admin’ password to login as ‘admin’ having changed admin’s password long ago. fwiw, I only use the admin login on occasion to check the ‘System’ tab for log issues.

.

fox · 2021-10-15T18:25:19.025Z

admin account is special in that its password is checked to be default “password” on login so warning dialog could be displayed.

fox · 2021-11-15T10:17:23.332Z

https://git.tt-rss.org/fox/tt-rss/commit/85b974af323a5819c888439bad2bf46ccaaaa4cd

GregThib · 2021-11-18T18:19:31.763Z

Tested today, it works !

Thank a lot for considered this.