Removing the user object from the responce

rubenvdlinde · rubenvdlinde · commit c30dd49f6371 · 2025-08-17T13:38:26.000+02:00
And disabling the redundant bash protection
diff --git a/lib/Controller/UserController.php b/lib/Controller/UserController.php
@@ -551,8 +551,8 @@ public function login(): JSONResponse
                 return $this->addCorsHeaders($response);
             }
 
-            // Build user data array for response (sanitized)
-            $userData = $this->userService->buildUserDataArray($user);
+            // Build user data array for response (sanitized) - commented out for performance testing
+            // $userData = $this->userService->buildUserDataArray($user);
 
             // MEMORY MONITORING: Check memory usage after building user data
             $finalMemoryUsage = memory_get_usage(true);
@@ -576,7 +576,7 @@ public function login(): JSONResponse
             // Create successful response with security headers and session info
             $response = new JSONResponse([
                 'message' => 'Login successful',
-                'user' => $userData,
+                // 'user' => $userData, // Commented out for performance testing - full user data slows down frontend
                 'session_created' => true,
                 'session' => [
                     'id' => $sessionId,
diff --git a/lib/Service/SecurityService.php b/lib/Service/SecurityService.php
@@ -91,9 +91,28 @@ public function __construct(
      * @param string $username The username attempting to login
      * @param string $ipAddress The IP address of the request
      * @return array Result with 'allowed' boolean and optional 'delay' or 'lockout_until'
+     * 
+     * @todo CRITICAL: Rate limiting system needs improvement
+     *       Problem: Custom cache-based rate limiting gets out of sync with Nextcloud's 
+     *       built-in brute force protection, causing persistent lockouts that cannot be 
+     *       cleared with standard OCC commands (php occ security:bruteforce:reset).
+     *       
+     *       Solutions needed:
+     *       1. Add OCC command for clearing custom SecurityService cache entries
+     *       2. OR integrate with Nextcloud's built-in rate limiting system instead
+     *       3. OR add admin interface to manually reset rate limits
+     *       4. Improve cache key iteration to properly clean up progressive delay entries
+     *       
+     *       Current workaround: Rate limiting temporarily disabled for testing
+     *       Security risk: All login attempts currently allowed - re-enable ASAP!
      */
     public function checkLoginRateLimit(string $username, string $ipAddress): array
     {
+        // TEMPORARILY DISABLED FOR TESTING - Rate limiting bypassed
+        // TODO: Re-enable rate limiting after implementing proper cleanup mechanism
+        return ['allowed' => true];
+
+        /*
         // Sanitize inputs to prevent cache key injection
         $username = $this->sanitizeForCacheKey($username);
         $ipAddress = $this->sanitizeForCacheKey($ipAddress);
@@ -167,6 +186,7 @@ public function checkLoginRateLimit(string $username, string $ipAddress): array
 
         // Login attempt is allowed
         return ['allowed' => true];
+        */
     }
 
     /**
@@ -267,6 +287,102 @@ public function recordSuccessfulLogin(string $username, string $ipAddress): void
         ]);
     }
 
+    /**
+     * Reset rate limiting for a specific IP address
+     *
+     * This method clears all rate limiting cache entries for the specified IP address,
+     * including lockouts, failed attempts, and progressive delays.
+     *
+     * @param string $ipAddress The IP address to reset rate limiting for
+     * @return bool True if reset was successful
+     * 
+     * @psalm-param string $ipAddress
+     * @psalm-return bool
+     * @phpstan-param string $ipAddress
+     * @phpstan-return bool
+     */
+    public function resetRateLimitForIp(string $ipAddress): bool
+    {
+        try {
+            // Sanitize the IP address
+            $ipAddress = $this->sanitizeForCacheKey($ipAddress);
+            
+            // Clear IP lockout
+            $ipLockoutKey = self::CACHE_PREFIX_IP_LOCKOUT . $ipAddress;
+            $this->cache->remove($ipLockoutKey);
+            
+            // Clear IP attempts counter
+            $ipAttemptsKey = self::CACHE_PREFIX_IP_ATTEMPTS . $ipAddress;
+            $this->cache->remove($ipAttemptsKey);
+            
+            // Clear progressive delay entries that include this IP
+            // Note: We can't iterate over cache keys easily, so this is a limitation
+            
+            // Log the reset action
+            $this->logSecurityEvent('rate_limit_reset', [
+                'ip_address' => $ipAddress,
+                'reset_type' => 'ip_reset'
+            ]);
+            
+            return true;
+        } catch (\Exception $e) {
+            // Log the error but don't throw - failing to reset rate limits shouldn't break the app
+            $this->logSecurityEvent('rate_limit_reset_failed', [
+                'ip_address' => $ipAddress,
+                'error' => $e->getMessage()
+            ]);
+            return false;
+        }
+    }
+
+    /**
+     * Reset rate limiting for a specific username
+     *
+     * This method clears all rate limiting cache entries for the specified username,
+     * including lockouts, failed attempts, and progressive delays.
+     *
+     * @param string $username The username to reset rate limiting for
+     * @return bool True if reset was successful
+     * 
+     * @psalm-param string $username
+     * @psalm-return bool
+     * @phpstan-param string $username
+     * @phpstan-return bool
+     */
+    public function resetRateLimitForUser(string $username): bool
+    {
+        try {
+            // Sanitize the username
+            $username = $this->sanitizeForCacheKey($username);
+            
+            // Clear user lockout
+            $userLockoutKey = self::CACHE_PREFIX_USER_LOCKOUT . $username;
+            $this->cache->remove($userLockoutKey);
+            
+            // Clear user attempts counter
+            $userAttemptsKey = self::CACHE_PREFIX_LOGIN_ATTEMPTS . $username;
+            $this->cache->remove($userAttemptsKey);
+            
+            // Clear progressive delay entries that include this username
+            // Note: We can't easily iterate over cache keys that contain this username
+            
+            // Log the reset action
+            $this->logSecurityEvent('rate_limit_reset', [
+                'username' => $username,
+                'reset_type' => 'user_reset'
+            ]);
+            
+            return true;
+        } catch (\Exception $e) {
+            // Log the error but don't throw - failing to reset rate limits shouldn't break the app
+            $this->logSecurityEvent('rate_limit_reset_failed', [
+                'username' => $username,
+                'error' => $e->getMessage()
+            ]);
+            return false;
+        }
+    }
+
     /**
      * Sanitize input data to prevent XSS and injection attacks
      *
