From 1f27b0fb2fdd2d6d87e90f705302404bae0266c8 Mon Sep 17 00:00:00 2001
From: TLSM <duolsm@outlook.com>
Date: Fri, 28 Oct 2022 13:58:59 -0400
Subject: [PATCH] Rate limit failed logins.

---
 files/routes/login.py | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/files/routes/login.py b/files/routes/login.py
index 7a2df43e02..11561859de 100644
--- a/files/routes/login.py
+++ b/files/routes/login.py
@@ -72,10 +72,19 @@ def check_for_alts(current:User):
 			g.db.add(u)
 
 
+def login_deduct_when(resp):
+	if not g:
+		return False
+	elif not hasattr(g, 'login_failed'):
+		return False
+	return g.login_failed
+
 @app.post("/login")
-@limiter.limit("1/5 seconds;6/minute;100/hour;500/day")
+@limiter.limit("1/5 seconds;6/minute;15/hour;15/day",
+	deduct_when=login_deduct_when)
 def login_post():
 	template = ''
+	g.login_failed = True
 
 	username = request.values.get("username")
 
@@ -104,6 +113,7 @@ def login_post():
 		if account.mfa_secret:
 			now = int(time.time())
 			hash = generate_hash(f"{account.id}+{now}+2fachallenge")
+			g.login_failed = False
 			return render_template("login_2fa.html",
 								v=account,
 								time=now,
@@ -135,6 +145,7 @@ def login_post():
 	else:
 		abort(400)
 
+	g.login_failed = False
 	on_login(account)
 
 	redir = request.values.get("redirect")
@@ -160,6 +171,7 @@ def on_login(account, redir=None):
 	if account.id == AEVANN_ID: session["verified"] = time.time()
 	check_for_alts(account)
 
+
 @app.get("/me")
 @app.get("/@me")
 @auth_required