Issue #3505844: Flood service implementation

src/Controller/UseCodeController.php

@@ -5,6 +5,7 @@ namespace Drupal\access_code\Controller;
 use Drupal\access_code\Service\AccessCodeManager;
 use Drupal\Core\Controller\ControllerBase;
 use Drupal\Core\Database\Connection;
+use Drupal\Core\Flood\FloodInterface;
 use Drupal\Core\Logger\LoggerChannelFactoryInterface;
 use Drupal\Core\Messenger\MessengerInterface;
 use Drupal\Core\Url;
@@ -39,37 +40,67 @@ class UseCodeController extends ControllerBase {
    */
   protected $accessCodeManager;
 
+  /**
+   * The flood service.
+   *
+   * @var \Drupal\Core\Flood\FloodInterface
+   */
+  protected $flood;
+
   /**
    * Constructor.
    */
-  public function __construct(LoggerChannelFactoryInterface $logger_factory, Connection $database, MessengerInterface $messenger, AccessCodeManager $manager) {
+  public function __construct(
+    LoggerChannelFactoryInterface $logger_factory,
+    Connection $database,
+    MessengerInterface $messenger,
+    AccessCodeManager $manager,
+    FloodInterface $flood,
+  ) {
     $this->logger = $logger_factory->get('access_code');
     $this->database = $database;
     $this->messenger = $messenger;
     $this->accessCodeManager = $manager;
+    $this->flood = $flood;
   }
 
   /**
    * @inheritdoc
    */
   public static function create(ContainerInterface $container) {
-    return new static($container->get('logger.factory'), $container->get('database'), $container->get('messenger'), $container->get('access_code.manager'));
+    return new static(
+      $container->get('logger.factory'),
+      $container->get('database'),
+      $container->get('messenger'),
+      $container->get('access_code.manager'),
+      $container->get('flood'),
+    );
   }
 
   /**
    * Page callback for the use code link.
    */
   public function useCode($access_code, Request $request) {
-    $uid = $this->accessCodeManager->validateAccessCode($access_code);
+    $ip_address = $request->getClientIp();
+    $limit = $this->config('access_code.settings')->get('login_attempts_limit') ?: 5;
+    $window = $this->config('access_code.settings')->get('login_attempts_window') ?: 3600;
 
-    if ($uid) {
-      $user = User::load($uid);
+    if ($this->flood->isAllowed('access_code_login', $limit, $window, $ip_address)) {
+      $uid = $this->accessCodeManager->validateAccessCode($access_code);
 
-      $url = $this->accessCodeManager->processLogin($user);
-      return new RedirectResponse($url->toString());
-    }
-    else {
-      throw new AccessDeniedHttpException();
+      if ($uid) {
+        $user = User::load($uid);
+
+        $this->flood->clear('access_code_login', $ip_address);
+
+        $url = $this->accessCodeManager->processLogin($user);
+        return new RedirectResponse($url->toString());
+      } else {
+        $this->flood->register('access_code_login', $window, $ip_address);
+        throw new AccessDeniedHttpException();
+      }
+    } else {
+      throw new AccessDeniedHttpException('Too many failed attempts. Please try again later.');
     }
   }