salihkiraz / simplesamlphp-module-silauth
SimpleSAMLphp auth module implementing various security measures before calls to IdP ID Broker backend
Installs: 1
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 1
Forks: 4
Type:simplesamlphp-module
Requires
- php: >=7.0
- ext-json: *
- codemix/yii2-streamlog: ^1.3
- fillup/fake-bower-assets: ^2.0
- google/recaptcha: ^1.1
- monolog/monolog: ^1.22
- psr/log: ^1.0
- ramsey/uuid: ^3.5
- rlanvin/php-ip: ^1.0
- silinternational/idp-id-broker-php-client: ^4.0.0
- silinternational/php-env: ^2.0
- silinternational/psr3-adapters: ^2.3
- silinternational/yii2-json-log-targets: ^2.0
- simplesamlphp/simplesamlphp: ~1.18.6 || ~1.19.5
- yiisoft/yii2: ~2.0.12
- yiisoft/yii2-gii: ^2.0
Requires (Dev)
- behat/behat: ^3.2
- guzzlehttp/guzzle: ^6.0
- phpunit/phpunit: ^5.6.1
- dev-develop
- 7.0.6
- 7.0.4
- 7.0.3
- 7.0.2
- 7.0.1
- 7.0.0
- 6.1.9
- 6.1.8
- 6.1.7
- 6.1.6
- 6.1.5
- 6.1.4
- 6.1.3
- 6.1.2
- 6.1.1
- 6.1.0
- 6.0.0
- 5.1.0
- 5.0.0
- 4.1.0
- 4.0.8
- 4.0.7
- 4.0.6
- 4.0.3
- 4.0.2
- 4.0.1
- 4.0.0
- 3.0.0
- 2.4.0
- 2.3.4
- 2.3.3
- 2.3.2
- 2.3.1
- 2.3.0
- 2.2.1
- 2.2.0
- 2.1.0
- 2.0.1
- 2.0.0
- 1.1.0
- 1.0.0
- 0.4.4
- 0.4.3
- 0.4.2
- 0.4.1
- 0.4.0
- 0.3.2
- 0.3.1
- 0.3.0
- dev-master
- dev-feature/ssp-1-19
This package is not auto-updated.
Last update: 2024-12-05 21:51:47 UTC
README
SimpleSAMLphp auth module implementing custom business logic
Database Migrations
To create another database migration file, run the following (replacing
YourMigrationName
with whatever you want the migration to be named, using
CamelCase):
make migration NAME=YourMigrationName
Rate Limiting
SilAuth will rate limit failed logins by username and by every untrusted IP address from a login attempt.
tl;dr ("the short version")
If there have been more than 10 failed logins for a given username (or IP address) within the past hour, a captcha will be included in the webpage. The user may or may not have to directly interact with the captcha, though.
If there have been more than 50 failed logins for that username (or IP address) within the past hour, logins for that username (or IP address) will be blocked for up to an hour.
Details
For each login attempt, if it has too many failed logins within the last hour (aka. recent failed logins) for the given username OR for any single untrusted IP address associated with the current request, it will do one of the following:
- If there are fewer than
Authenticator::REQUIRE_CAPTCHA_AFTER_NTH_FAILED_LOGIN
recent failures: process the request normally. - If there are at least that many, but fewer than
Authenticator::BLOCK_AFTER_NTH_FAILED_LOGIN
: require the user to pass a captcha. - If there are more than that: block that login attempt for
(recent failures above the limit)^2
seconds after the most recent failed login, with a minimum of 3 (so blocking for 9 seconds). - Note: the blocking time is capped at an hour, so if no more failures occur, then the user will be unblocked in no more than an hour.
See features/login.feature
for descriptions of how various situations are
handled. That file not only contains human-readable scenarios, but those are
also actual tests that are run to ensure those descriptions are correct.
Example 1
- If
BLOCK_AFTER_NTH_FAILED_LOGIN
is 50, and - if
REQUIRE_CAPTCHA_AFTER_NTH_FAILED_LOGIN
is 10, and - if there have been 4 failed login attempts for
john_smith
, and - there have been 10 failed login attempts from
11.22.33.44
, and - there have been 3 failed login attempts from
192.168.1.2
, and - someone tries to login as
john_smith
from192.168.1.2
and their request goes through a proxy at11.22.33.44
, then - they will have to pass a captcha, but they will not yet be blocked.
Example 2
- However, if all of the above is true, but
- there have now been 55 failed login attempts from
11.22.33.44
, then - any request involving that IP address will be blocked for 25 seconds after the most recent of those failed logins.
Excluding trusted IP addresses from IP address based rate limiting
Since this application enforces rate limits based on the number of recent
failed login attempts by both username and IP address, and since it looks at
both the REMOTE_ADDR and the X-Forwarded-For header for IP addresses, you will
want to list any IP addresses that should NOT be rate limited (such as your
load balancer) in the TRUSTED_IP_ADDRESSES environment variable (see
local.env.dist
).
Status Check
To check the status of the website, you can access this URL:
https://(your domain name)/module.php/silauth/status.php
Debugging
To debug the project in your IDE (such as NetBeans), do the following:
- Edit your
local.env
file, insert your IP address as the value forXDEBUG_REMOTE_HOST
. - Run
make start enabledebug
. - Set your IDE to use debugger port 9000 and a Session ID of netbeans-xdebug.
- Click the "Debug Project" button in your IDE.
Manual Testing
- Add an entry to your
/etc/hosts
file for127.0.0.1 silauth.local
- Run
make
- Go to http://silauth.local/module.php/core/authenticate.php?as=silauth in your browser.
Debugging
Xdebug can be enabled by doing the following:
- Define
REMOTE_DEBUG_IP
inlocal.env
. This should be the IP address of your development machine, i.e. the one that is running your IDE. If you're using Linux as your Docker host, you can use 172.17.0.1 here. - Map run-debug.sh into the container you wish to debug. For example:
volumes: - ./development/run-debug.sh:/data/run.sh
- Enable debugging in your IDE. See the next section for PhpStorm setup.
Configuring PhpStorm for remote debugging
In PhpStorm go to: Preferences > PHP > Debug > DBGp Proxy and set the following settings:
- Host: (your IP address or hostname)
- Port: 9000
Set path mappings in: Preferences > PHP > Servers
- Add a server and map the project folder to '/data/vendor/simplesamlphp/simplesamlphp/modules/silauth'
- Map other directories as needed. PhpStorm should prompt when an unrecognized path is encountered.
Then start listening by clicking the "listen" button on the PhpStorm toolbar.