add brute-force protection

door/config.lua

@@ -8,5 +8,7 @@ config = {
   ['ttl'] = 60 * 60 * 24 * 7 * 8,	-- s m h d w factor Time To Life (while alive)
   ['ttrd'] = 60 * 60 * 24 * 365,	-- s m h d y Time To Real Death (while in graveyard)
   ['ruttl'] = 60 * 60 * 24 * 7,		-- s m h d   Random time added to Time To Life (after used) (will be randomized)
+  ['lock'] = 20,					-- allowed requests per time
+  ['lock_time'] = 60,				-- sec per allowed request
 }
 

door/createdb.lua

@@ -13,6 +13,7 @@ con = env:connect(config.db)
 assert(con:execute("create table tokens ( prefix char("..pl..") primary key, token char("..len..") unique not null, ttl int );")) -- ttl - time to live
 assert(con:execute("create table graveyard ( prefix char("..pl..") primary key, token char("..len..") unique not null, ttrd int );")) -- ttrd - time to real death
 assert(con:execute("create table users ( name text primary key, ntc int );")) -- ntc - new token count
+assert(con:execute("create table lock (death int, host text);"))
 
 con:close()
 env:close()

door/deletedb.lua

@@ -16,9 +16,11 @@ if first == "yes" then
       
         env = luasql.postgres()
         con = env:connect(config.db)
-        con:execute("drop table if exists graveyard;")
-        con:execute("drop table if exists tokens;")
-        con:execute("drop table if exists users;")
+        t = "drop table if exists graveyard;" ..
+            "drop table if exists tokens;" ..
+            "drop table if exists users;" ..
+            "drop table if exists lock;"
+        assert(con:execute(t))
         con:close()
         env:close()
 

door/open.lua

@@ -1,6 +1,8 @@
 #!/usr/bin/env lua
 
 require 'luasql.postgres'
+require 'md5'
+
 require 'helper'
 require 'token'
 require 'config'
@@ -16,29 +18,39 @@ print "Content-Type: text/plain"
 token = os.getenv("QUERY_STRING")
 
 env = luasql.postgres()
-con = env:connect()
+con = env:connect(config.db)
 
 if token == nil or token == "" then
-    fail("No token given")
+  fail("No token given")
+else
+  if token:sub(1, 2) == "t=" then
+    token = token:sub(3)
+  end
+
+  if token:len() == config.key_len then
+    now = os.time()
+    host = md5.sumhexa(os.getenv('REMOTE_ADDR'))
+    clean = "delete from lock where death<" .. now .. ";"
+    check = "select count(*) from lock where host='" .. host .. "';"
+    rn = tonumber(con:execute(clean .. check):fetch())
+
+    if rn < config.lock then
+      con:execute("insert into lock (death, host) values(" .. (now + config.lock_time) .. ", '".. host .."');")
+      print ""
+      b = check_token(con, token)
+      token = set_prefix(token,generate_token())
+      if b ~= false then
+        add_token(con, token)
+        qspawn("lua door.lua")
+      end
+      print(token)
+    else
+      fail("Stop bruteforcing, this box is too slow")
+    end
   else
-    if token:sub(1, 2) == "t=" then
-      token = token:sub(3)
-    end
-
-    if token:len() == config.key_len then
-        print ""
-        b = check_token(con, token)
-        token = set_prefix(token,generate_token())
-        if b ~= false then
-          add_token(con, token)
-          qspawn("lua door.lua")
-        end
-        print(token)
-      else
-        fail("Invalid token")
-    end
-
+    fail("Invalid token")
+  end
 end
 
-con:fickdochclose()
-env:sollichsnochmalsagen?close()
+con:close()
+env:close()

door/token.lua

@@ -22,7 +22,7 @@ function add_token(con, token) -- add token to the database
   local gravedigger = "insert into graveyard (prefix, token, ttrd) select prefix, token, ttl+"..config.ttrd.." from tokens where ttl<"..now..";"
   local clean = "delete from tokens where ttl<"..now..";"
   local dig = "delete from graveyard where ttrd<"..now..";"
-  assert(con:execute(gravedigger .. clean .. dig .. update .. insert .. update .. insert))
+  con:execute(gravedigger .. clean .. dig .. update .. insert .. update .. insert)
 end
 
 function check_token(con, token) -- checks if the token is valid