EC-CUBE · chihiro-adachi · Aug 1, 2022 · Jul 24, 2022 · Jul 26, 2022 · Aug 1, 2022
diff --git a/.env.dist b/.env.dist
@@ -30,6 +30,12 @@ DATABASE_CHARSET=utf8
 MAILER_DSN=null://null
 ###< symfony/mailer ###
 
+###> symfony/lock ###
+# Choose one of the stores below
+# postgresql+advisory://db_user:db_password@localhost/db_name
+LOCK_DSN=semaphore
+###< symfony/lock ###
+
 ###> APPLICATION CONFIG ###
 # EC-CUBE Configs. The default value is defined in app/config/packages/eccube.yaml.
 # Please remove commented out and enable it if you want to change.

diff --git a/app/config/eccube/packages/eccube.yaml b/app/config/eccube/packages/eccube.yaml
@@ -148,3 +148,5 @@ parameters:
       - admin_content_css
       - admin_content_js
       - admin_store_template_install
+    eccube_login_throttling_max_attempts: 5
+    eccube_login_throttling_interval: '30 minutes'
diff --git a/app/config/eccube/packages/security.yaml b/app/config/eccube/packages/security.yaml
@@ -1,4 +1,5 @@
 security:
+    enable_authenticator_manager: true
     encoders:
         # Our user class and the algorithm we'll use to encode passwords
         # https://symfony.com/doc/current/security.html#c-encoding-the-user-s-password
@@ -22,40 +23,44 @@ security:
             security: false
         admin:
             pattern: '^/%eccube_admin_route%/'
-            anonymous: true
             provider: member_provider
             form_login:
+                enable_csrf: true
                 check_path: admin_login
                 login_path: admin_login
-                csrf_token_generator: security.csrf.token_manager
                 default_target_path: admin_homepage
                 username_parameter: 'login_id'
                 password_parameter: 'password'
                 use_forward: false
                 success_handler: eccube.security.success_handler
                 failure_handler: eccube.security.failure_handler
+            login_throttling:
+                max_attempts: '%eccube_login_throttling_max_attempts%'
+                interval: '%eccube_login_throttling_interval%'
             logout:
                 path: admin_logout
                 success_handler: eccube.security.logout.success_handler
         customer:
             pattern: ^/
-            anonymous: true
             provider: customer_provider
             remember_me:
                 secret: '%kernel.secret%'
                 lifetime: 3600
                 name: eccube_remember_me
                 remember_me_parameter: 'login_memory'
             form_login:
+                enable_csrf: true
                 check_path: mypage_login
                 login_path: mypage_login
-                csrf_token_generator: security.csrf.token_manager
                 default_target_path: homepage
                 username_parameter: 'login_email'
                 password_parameter: 'login_pass'
                 use_forward: false
                 success_handler: eccube.security.success_handler
                 failure_handler: eccube.security.failure_handler
+            login_throttling:
+                max_attempts: '%eccube_login_throttling_max_attempts%'
+                interval: '%eccube_login_throttling_interval%'
             logout:
                 path: logout
                 target: homepage

diff --git a/codeception/_data/plugins/Bundle-1.0.0.tgz b/codeception/_data/plugins/Bundle-1.0.0.tgz
diff --git a/codeception/_data/plugins/Bundle-1.0.1.tgz b/codeception/_data/plugins/Bundle-1.0.1.tgz
diff --git a/composer.json b/composer.json
@@ -79,6 +79,7 @@
         "symfony/process": "^5.4",
         "symfony/property-access": "^5.4",
         "symfony/proxy-manager-bridge": "^5.4",
+        "symfony/rate-limiter": "^5.4",
         "symfony/routing": "^5.4",
         "symfony/security-bundle": "^5.4",
         "symfony/serializer": "^5.4",

diff --git a/composer.lock b/composer.lock
diff --git a/phpunit.xml.dist b/phpunit.xml.dist
@@ -17,6 +17,12 @@
         <server name="SHELL_VERBOSITY" value="-1" />
         <server name="SYMFONY_PHPUNIT_REMOVE" value="symfony/yaml" />
         <server name="SYMFONY_PHPUNIT_VERSION" value="9.5" />
+
+        <!-- ###+ symfony/lock ### -->
+        <!-- Choose one of the stores below -->
+        <!-- postgresql+advisory://db_user:db_password@localhost/db_name -->
+        <env name="LOCK_DSN" value="semaphore"/>
+        <!-- ###- symfony/lock ### -->
     </php>
 
     <testsuites>

diff --git a/src/Eccube/EventListener/LoginHistoryListener.php b/src/Eccube/EventListener/LoginHistoryListener.php
@@ -24,7 +24,9 @@
 use Symfony\Component\HttpFoundation\RequestStack;
 use Symfony\Component\Security\Core\AuthenticationEvents;
 use Symfony\Component\Security\Core\Event\AuthenticationFailureEvent;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
+use Symfony\Component\Security\Http\Event\LoginFailureEvent;
 use Symfony\Component\Security\Http\SecurityEvents;
 
 class LoginHistoryListener implements EventSubscriberInterface
@@ -74,7 +76,7 @@ public static function getSubscribedEvents()
     {
         return [
             SecurityEvents::INTERACTIVE_LOGIN => 'onInteractiveLogin',
-            AuthenticationEvents::AUTHENTICATION_FAILURE => 'onAuthenticationFailure',
+            LoginFailureEvent::class => 'onAuthenticationFailure',
         ];
     }
 
@@ -103,7 +105,7 @@ public function onInteractiveLogin(InteractiveLoginEvent $event)
         }
     }
 
-    public function onAuthenticationFailure(AuthenticationFailureEvent $event)
+    public function onAuthenticationFailure(LoginFailureEvent $event)
     {
         $request = $this->requestStack->getCurrentRequest();
 
@@ -116,9 +118,12 @@ public function onAuthenticationFailure(AuthenticationFailureEvent $event)
             return;
         }
 
-        $userName = $event->getAuthenticationToken()->getUsername();
         $Member = null;
-        if ($userName) {
+        $userName = null;
+        $passport = $event->getPassport();
+        if ($passport->hasBadge(UserBadge::class)) {
+            $userName = $passport->getBadge(UserBadge::class)
+                ->getUserIdentifier();
             $Member = $this->memberRepository->findOneBy(['login_id' => $userName]);
         }
 

diff --git a/src/Eccube/Resource/locale/validators.ja.yaml b/src/Eccube/Resource/locale/validators.ja.yaml
@@ -22,6 +22,9 @@ Invalid credentials.: |
 Invalid CSRF token.: |
   ログインできませんでした。
   入力内容に誤りがないかご確認ください。
+Too many failed login attempts, please try again later.: ログイン試行回数を超えました。しばらくして再度お試しください。
+Too many failed login attempts, please try again in %minutes% minute.: ログイン試行回数が多すぎます。%minutes%分後に再度お試しください。
+Too many failed login attempts, please try again in %minutes% minutes.: ログイン試行回数が多すぎます。%minutes%分後に再度お試しください。
 
 #------------------------------------------------------------------------------------
 # EC-CUBE error message

diff --git a/symfony.lock b/symfony.lock
@@ -491,6 +491,18 @@
     "symfony/intl": {
         "version": "v3.4.1"
     },
+    "symfony/lock": {
+        "version": "5.4",
+        "recipe": {
+            "repo": "github.com/symfony/recipes",
+            "branch": "main",
+            "version": "5.2",
+            "ref": "a1c8800e40ae735206bb14586fdd6c4630a51b8d"
+        },
+        "files": [
+            "app/config/eccube/packages/lock.yaml"
+        ]
+    },
     "symfony/mailer": {
         "version": "5.4",
         "recipe": {
@@ -587,6 +599,9 @@
     "symfony/proxy-manager-bridge": {
         "version": "v3.4.4"
     },
+    "symfony/rate-limiter": {
+        "version": "v5.4.9"
+    },
     "symfony/routing": {
         "version": "3.3",
         "recipe": {