Download the PHP package cirrusidentity/simplesamlphp-module-ratelimit without Composer

On this page you can find all versions of the php package cirrusidentity/simplesamlphp-module-ratelimit. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Example code of cirrusidentity/simplesamlphp-module-ratelimit

Informations about the package simplesamlphp-module-ratelimit

Table of Contents generated with DocToc

Overview

This module provides functionality to rate limit aspects of SSP

Installation

Rate Limiting Auth Source

Any authsource that uses username and password (and also extends UserPassBase) can be wrapped with RateLimitUserPass to limit the number of authentication attempts an attacker can make.

Limiters

Configuration

All included limiters support these 2 settings:

Configuration should be done in authsources.php. The RateLimitUserPass authsource wraps other auth sources to enforce the rate limits. Each of your existing authsource definitions should get moved inside the 'delegate' key.

limiters are run in the order defined, and not in numerical order of the keys.

Sample Configuration

Standalone delegate/SSP 2 style configuration

In SSP v2, on the IdP side, an attacker cannot invoke an authsource directly. This allows you to define the rate limit authsource and have it reference another one in the config file.

Embedded delegate/SSP 1.x style configuration

In SSP 1.x there was no way to hide an authsource from someone invoking it directly through the test authsources functionality. This meant to truly rate limit an authsource you had to hide its configuration inside the ratelimit authsource.

If no ratelimit block is defined then the UsernameLimiter and DeviceCookieLimiter are automatically enabled.

Blocking behavior

When a login attempt is blocked the authsource throws a WRONGUSERPASS error.

Login Loop Detection

When configured, will stop the browser from looping indefinately when interacting with a broken/mis configured SP.

Configuration

Exploring with Docker

You can explore these features with Docker.

Then log in as admin:secret to https://ratelimit.local.stack-dev.cirrusidentity.com/simplesaml/ to confirm SSP is running.

Things to try

Blocking logins

To reach the admin test login endpoints you must first authenticate as an admin. Login to https://ratelimit.local.stack-dev.cirrusidentity.com/simplesaml/admin as admin:secret

The example-userpass authsource is configured with a low number of attempts for logins. Try logging in 3 or 4 times with the same username and wrong password and you should see log lines like

[Tue Dec 06 22:04:23.114923 2022] [php:notice] [pid 58] [client 172.18.0.1:59924] %date{M j H:i:s} simplesamlphp NOTICE STAT [c854ab328b] User 'testuser' login attempt blocked by SimpleSAML\\Module\\ratelimit\\Limiters\\UsernameLimiter

If you try varying usernames and the same password (a password stuffing attack) then after a few attempts you should see

User 'pass2' login attempt blocked by SimpleSAML\\Module\\ratelimit\\Limiters\\PasswordStuffingLimiter

Loop Detection

Visiting the looping-login page will issue a request as an SP to log in with a local IdP and print out the attributes. User member, password memberpass. If you add a loop query parameter you can mimic a misbehaving SP that continuously sends a user to the IdP to login. The IdP is configured (see saml20-idp-hosted.php) with loop detection and will display an error page after too many loops.

Development

Run phpcs to check code style

./vendor/bin/phpcs

Run phpunit to test

./vendor/bin/phpunit

You can auto correct some findings from phpcs. It is recommended you do this after stage your changes (or maybe even commit) since there is a non-trivial chance it will just mess up your code.

./vendor/bin/phpcbf

I always have trouble with psalm and it's cache, so I tend to run without caching

 ./vendor/bin/psalm --no-cache

All versions of simplesamlphp-module-ratelimit with dependencies

PHP Build Version
Package Version
Requires php Version ^8.1
ext-openssl Version *
simplesamlphp/assert Version ~1.1.3
simplesamlphp/composer-module-installer Version ~1.3.4
simplesamlphp/simplesamlphp Version ^2.2.0
symfony/http-foundation Version ^6.4
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package cirrusidentity/simplesamlphp-module-ratelimit contains the following files

Loading the files please wait ....