{"id":13684549,"url":"https://github.com/Ali1/cakephp-bruteforce","last_synced_at":"2025-04-30T21:30:57.968Z","repository":{"id":46488542,"uuid":"187266037","full_name":"Ali1/cakephp-bruteforce","owner":"Ali1","description":"A CakePHP plugin for dropping in Brute Force Protection to your controllers and methods. ","archived":false,"fork":false,"pushed_at":"2023-08-08T21:23:17.000Z","size":79,"stargazers_count":3,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-10-27T09:04:05.326Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Ali1.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-05-17T18:47:40.000Z","updated_at":"2023-08-08T21:14:19.000Z","dependencies_parsed_at":"2024-01-22T07:48:03.430Z","dependency_job_id":"be2b838f-eea6-46c7-995d-69afa569061f","html_url":"https://github.com/Ali1/cakephp-bruteforce","commit_stats":null,"previous_names":[],"tags_count":22,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ali1%2Fcakephp-bruteforce","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ali1%2Fcakephp-bruteforce/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ali1%2Fcakephp-bruteforce/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ali1%2Fcakephp-bruteforce/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Ali1","download_url":"https://codeload.github.com/Ali1/cakephp-bruteforce/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224224797,"owners_count":17276428,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T14:00:34.756Z","updated_at":"2024-11-12T05:32:24.396Z","avatar_url":"https://github.com/Ali1.png","language":"PHP","funding_links":[],"categories":["Security"],"sub_categories":[],"readme":"# CakePHP Brute Force Plugin\n\n[![Framework](https://img.shields.io/badge/Framework-CakePHP%204.x-orange.svg)](http://cakephp.org)\n[![license](https://img.shields.io/github/license/ali1/cakephp-bruteforce.svg?maxAge=2592000)](/blob/master/LICENSE)\n[![Build Status](https://travis-ci.org/Ali1/cakephp-bruteforce.svg?branch=master)](https://travis-ci.org/Ali1/cakephp-bruteforce)\n[![Coverage Status](https://coveralls.io/repos/github/Ali1/cakephp-bruteforce/badge.svg?branch=master)](https://coveralls.io/github/Ali1/cakephp-bruteforce?branch=master)\n\nA CakePHP plugin for easy drop-in Brute Force Protection for your controller methods.\n\nComponent Wrapper for [Ali1/BruteForceShield](https://github.com/Ali1/BruteForceShield)\n\n### Features\n* IP address-based protection\n* Uses the Cache class to store attempts so no database installation necessary\n* Logs blocked attempts (uses CakePHP Logs)\n* Does not count re-attempts with same challenge details (e.g. if a user tries the same username/password combination a few times)\n* Can block multiple attempts at the same username earlier than the normal limit (to give users a chance to enter the correct username if they have been trying with the wrong one)\n* Can be applied in AppController::initialize for simpler set up when authentication plugins are used\n* Throws catchable exception which can optionally be caught\n\n### Requirements\n\n* Composer\n* CakePHP 4.0+\n* PHP 7.2+\n\n### Installation\n\nIn your CakePHP root directory: run the following command:\n\n```\ncomposer require ali1/cakephp-bruteforce\n```\n\nThen in your Application.php in your project root, add the following snippet:\n\n```php\n// In project_root/Application.php:\n        $this-\u003eaddPlugin('Bruteforce');\n```\n\nor you can use the following shell command to enable to plugin in your bootstrap.php automatically:\n\n```\nbin/cake plugin load Bruteforce\n```\n\n### Basic Use\n\nLoad the component:\n````php\n// in AppController.php or any controller\n\n    public function initialize(): void\n    {\n        parent::initialize();\n        $this-\u003eloadComponent('Bruteforce.Bruteforce');\n    }\n````\n\nApply protection (`$this-\u003eBruteforce-\u003evalidate` must come before actually verifying or actioning the user submitted data)\n\n````php\n    public function login(): void\n    {\n        $config = new \\Ali1\\BruteForceShield\\Configuration(); // see possible options below\n\n        /**\n         * @param string $name a unique string to store the data under (different $name for different uses of Brute\n     *                          force protection within the same application.\n         * @param array $data an array of data, can use $this-\u003erequest-\u003egetData()\n         * @param \\Ali1\\BruteForceShield\\Configuration|null $config options\n         * @param string $cache Cache to use (default: 'default'). Make sure to use one with a duration longer than your time window otherwise you will not be protected.\n         * @return void\n         */\n        $this-\u003eBruteforce-\u003evalidate(\n            'login',\n            ['username' =\u003e $this-\u003erequest-\u003egetData('username'), 'password' =\u003e $this-\u003erequest-\u003egetData('password')],\n            $config,\n            'default'          \n        );\n        \n        // the user will never get here if fails Brute Force Protection\n        // a TooManyAttemptsException will be thrown\n        // usual login code here\n    }\n````\n\n### Configuration Options\n\nThe third argument for `validate` is the \\Ali1\\BruteForceShield\\Configuration object.\n\nInstructions on configuring Brute Force Protection can be found [here](https://github.com/Ali1/BruteForceShield#configuration).\n\n### Usage\n\n#### For a method for username / password BruteForce\n\n```php\n// UsersController.php\n    public $components = ['Bruteforce.Bruteforce'];\n    \n    ...\n    \n    public function login()\n    {\n        // prior to actually verifying data\n        $bruteConfig = new \\Ali1\\BruteForceShield\\Configuration();\n        $bruteConfig-\u003esetTotalAttemptsLimit(5);\n        $bruteConfig-\u003esetStricterLimitOnKey('username', 3); // setting a limit of 5 above, then a different limit here would mean the user has 3 chances to get the password right, but then an additional 2 chances if they try a different username\n        $bruteConfig-\u003eaddUnencryptedKey('username'); // adding this would mean you could see which usernames are being attacked in your log files\n\n        $this-\u003eBruteforce-\u003evalidate(\n            'login', // unique name for this BruteForce action\n            ['username' =\u003e $this-\u003erequest-\u003egetData('username'), 'password' =\u003e $this-\u003erequest-\u003egetData('password')],\n            $bruteConfig\n        );\n        // rest of the login code to authorize the attempt\n    }\n```\n\n#### Prevent URL based brute force\n\nNon-form data can also be Brute Forced\n\n````php\n    /**\n     * @param string|null $hashedid\n     *\n     * @return void\n     */\n    public function publicAuthUrl(string $hashedid): void\n    {\n        try {\n            $bruteConfig = new Configuration();\n            $bruteConfig-\u003eaddUnencryptedKey('hashedid');\n            $this-\u003eBruteforce-\u003evalidate(\n                'publicHash',\n                ['hashedid' =\u003e $hashedid],\n                $bruteConfig\n            );\n        } catch (\\Bruteforce\\Exception\\TooManyAttemptsException $e) {\n            $this-\u003eFlash-\u003eerror('Too many requests attempted. Please try again in a few minutes');\n            return $this-\u003eredirect('/');\n        }\n        \n        // then check if URL is actually valid\n````\n\n#### With user plugins (e.g. CakeDC/Users)\n\nAlthough not ideal, when using plugins that you do not wish to extend or modify, you can safely place the `validate` method in AppController.php `initialize` method, since this will run prior to user verification within the plugin.\n\n```php\n// AppController.php::initialize()\n\n        $this-\u003eloadComponent('Bruteforce.Bruteforce'); // Keep above any authentication components if running on initialize (default)\n        $this-\u003eBruteforce-\u003evalidate(\n            'login', // unique name for this BruteForce action\n            ['username' =\u003e $this-\u003erequest-\u003egetData('username'), 'password' =\u003e $this-\u003erequest-\u003egetData('password')] // user entered data\n        );\n        // this will not affect any other action except ones containing POSTed usernames and passwords (empty challenges never get counted or blocked)\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAli1%2Fcakephp-bruteforce","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FAli1%2Fcakephp-bruteforce","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAli1%2Fcakephp-bruteforce/lists"}