magento
diff --git a/‎app/code/Magento/Integration/Model/AdminTokenService.php
Lines changed: 23 additions & 0 deletions b/‎app/code/Magento/Integration/Model/AdminTokenService.php
Lines changed: 23 additions & 0 deletions
diff --git a/‎app/code/Magento/Integration/Model/CustomerTokenService.php
Lines changed: 28 additions & 1 deletion b/‎app/code/Magento/Integration/Model/CustomerTokenService.php
Lines changed: 28 additions & 1 deletion
diff --git a/‎app/code/Magento/Integration/Model/Oauth/Token/RequestLog/Config.php
Lines changed: 49 additions & 0 deletions b/‎app/code/Magento/Integration/Model/Oauth/Token/RequestLog/Config.php
Lines changed: 49 additions & 0 deletions
diff --git a/‎app/code/Magento/Integration/Model/Oauth/Token/RequestLog/ReaderInterface.php
Lines changed: 22 additions & 0 deletions b/‎app/code/Magento/Integration/Model/Oauth/Token/RequestLog/ReaderInterface.php
Lines changed: 22 additions & 0 deletions
diff --git a/‎app/code/Magento/Integration/Model/Oauth/Token/RequestLog/WriterInterface.php
Lines changed: 38 additions & 0 deletions b/‎app/code/Magento/Integration/Model/Oauth/Token/RequestLog/WriterInterface.php
Lines changed: 38 additions & 0 deletions
diff --git a/‎app/code/Magento/Integration/Model/Oauth/Token/RequestThrottler.php
Lines changed: 100 additions & 0 deletions b/‎app/code/Magento/Integration/Model/Oauth/Token/RequestThrottler.php
Lines changed: 100 additions & 0 deletions
@@ -13,6 +13,7 @@
 use Magento\Integration\Model\Oauth\TokenFactory as TokenModelFactory;
 use Magento\Integration\Model\ResourceModel\Oauth\Token\CollectionFactory as TokenCollectionFactory;
 use Magento\User\Model\User as UserModel;
+use Magento\Integration\Model\Oauth\Token\RequestThrottler;
 
 /**
  * Class to handle token generation for Admins
@@ -46,6 +47,11 @@ class AdminTokenService implements \Magento\Integration\Api\AdminTokenServiceInt
      */
     private $tokenModelCollectionFactory;
 
+    /**
+     * @var RequestThrottler
+     */
+    private $requestThrottler;
+
     /**
      * Initialize service
      *
@@ -72,8 +78,10 @@ public function __construct(
     public function createAdminAccessToken($username, $password)
     {
         $this->validatorHelper->validate($username, $password);
+        $this->getRequestThrottler()->throttle($username, RequestThrottler::USER_TYPE_ADMIN);
         $this->userModel->login($username, $password);
         if (!$this->userModel->getId()) {
+            $this->getRequestThrottler()->logAuthenticationFailure($username, RequestThrottler::USER_TYPE_ADMIN);
             /*
              * This message is same as one thrown in \Magento\Backend\Model\Auth to keep the behavior consistent.
              * Constant cannot be created in Auth Model since it uses legacy translation that doesn't support it.
@@ -83,6 +91,7 @@ public function createAdminAccessToken($username, $password)
                 __('You did not sign in correctly or your account is temporarily disabled.')
             );
         }
+        $this->getRequestThrottler()->resetAuthenticationFailuresCount($username, RequestThrottler::USER_TYPE_ADMIN);
         return $this->tokenModelFactory->create()->createAdminToken($this->userModel->getId())->getToken();
     }
 
@@ -104,4 +113,18 @@ public function revokeAdminAccessToken($adminId)
         }
         return true;
     }
+
+    /**
+     * Get request throttler instance
+     *
+     * @return RequestThrottler
+     * @deprecated
+     */
+    private function getRequestThrottler()
+    {
+        if (!$this->requestThrottler instanceof RequestThrottler) {
+            return \Magento\Framework\App\ObjectManager::getInstance()->get(RequestThrottler::class);
+        }
+        return $this->requestThrottler;
+    }
 }
@@ -12,6 +12,7 @@
 use Magento\Integration\Model\Oauth\Token as Token;
 use Magento\Integration\Model\Oauth\TokenFactory as TokenModelFactory;
 use Magento\Integration\Model\ResourceModel\Oauth\Token\CollectionFactory as TokenCollectionFactory;
+use Magento\Integration\Model\Oauth\Token\RequestThrottler;
 
 class CustomerTokenService implements \Magento\Integration\Api\CustomerTokenServiceInterface
 {
@@ -41,6 +42,11 @@ class CustomerTokenService implements \Magento\Integration\Api\CustomerTokenServ
      */
     private $tokenModelCollectionFactory;
 
+    /**
+     * @var RequestThrottler
+     */
+    private $requestThrottler;
+
     /**
      * Initialize service
      *
@@ -67,7 +73,14 @@ public function __construct(
     public function createCustomerAccessToken($username, $password)
     {
         $this->validatorHelper->validate($username, $password);
-        $customerDataObject = $this->accountManagement->authenticate($username, $password);
+        $this->getRequestThrottler()->throttle($username, RequestThrottler::USER_TYPE_CUSTOMER);
+        try {
+            $customerDataObject = $this->accountManagement->authenticate($username, $password);
+        } catch (\Exception $e) {
+            $this->getRequestThrottler()->logAuthenticationFailure($username, RequestThrottler::USER_TYPE_CUSTOMER);
+            throw $e;
+        }
+        $this->getRequestThrottler()->resetAuthenticationFailuresCount($username, RequestThrottler::USER_TYPE_CUSTOMER);
         return $this->tokenModelFactory->create()->createCustomerToken($customerDataObject->getId())->getToken();
     }
 
@@ -89,4 +102,18 @@ public function revokeCustomerAccessToken($customerId)
         }
         return true;
     }
+
+    /**
+     * Get request throttler instance
+     *
+     * @return RequestThrottler
+     * @deprecated
+     */
+    private function getRequestThrottler()
+    {
+        if (!$this->requestThrottler instanceof RequestThrottler) {
+            return \Magento\Framework\App\ObjectManager::getInstance()->get(RequestThrottler::class);
+        }
+        return $this->requestThrottler;
+    }
 }
@@ -0,0 +1,49 @@
+<?php
+/**
+ * Copyright © 2016 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Integration\Model\Oauth\Token\RequestLog;
+
+use Magento\Framework\App\Config\ReinitableConfigInterface;
+
+/**
+ * Token request log config.
+ */
+class Config
+{
+    /**
+     * @var ReinitableConfigInterface
+     */
+    private $storeConfig;
+
+    /**
+     * Initialize dependencies.
+     *
+     * @param ReinitableConfigInterface $storeConfig
+     */
+    public function __construct(ReinitableConfigInterface $storeConfig)
+    {
+        $this->storeConfig = $storeConfig;
+    }
+
+    /**
+     * Get maximum allowed authentication failures count before account is locked.
+     *
+     * @return int
+     */
+    public function getMaxFailuresCount()
+    {
+        return (int)$this->storeConfig->getValue('oauth/authentication_lock/max_failures_count');
+    }
+
+    /**
+     * Get period of time in seconds after which account will be unlocked.
+     *
+     * @return int
+     */
+    public function getLockTimeout()
+    {
+        return (int)$this->storeConfig->getValue('oauth/authentication_lock/timeout');
+    }
+}
@@ -0,0 +1,22 @@
+<?php
+/**
+ *
+ * Copyright © 2016 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Integration\Model\Oauth\Token\RequestLog;
+
+/**
+ * OAuth token request log reader interface.
+ */
+interface ReaderInterface
+{
+    /**
+     * Get number of authentication failures for the specified user account.
+     *
+     * @param string $userName
+     * @param int $userType
+     * @return int
+     */
+    public function getFailuresCount($userName, $userType);
+}
@@ -0,0 +1,38 @@
+<?php
+/**
+ *
+ * Copyright © 2016 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Integration\Model\Oauth\Token\RequestLog;
+
+/**
+ * OAuth token request log writer interface.
+ */
+interface WriterInterface
+{
+    /**
+     * Reset number of authentication failures for the specified user account.
+     *
+     * @param string $userName
+     * @param int $userType
+     * @param return void
+     */
+    public function resetFailuresCount($userName, $userType);
+
+    /**
+     * Increment number of authentication failures for the specified user account.
+     *
+     * @param string $userName
+     * @param int $userType
+     * @param return void
+     */
+    public function incrementFailuresCount($userName, $userType);
+
+    /**
+     * Clear expired authentication failure logs.
+     *
+     * @return void
+     */
+    public function clearExpiredFailures();
+}
@@ -0,0 +1,100 @@
+<?php
+/**
+ * Copyright © 2016 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Integration\Model\Oauth\Token;
+
+use Magento\Integration\Model\Oauth\Token\RequestLog\ReaderInterface as RequestLogReader;
+use Magento\Integration\Model\Oauth\Token\RequestLog\WriterInterface as RequestLogWriter;
+use Magento\Integration\Model\Oauth\Token\RequestLog\Config as RequestLogConfig;
+use Magento\Framework\Exception\AuthenticationException;
+
+/**
+ * Model for OAuth admin/customer token requests throttling.
+ */
+class RequestThrottler
+{
+    /**#@+
+     * Web API user type
+     */
+    const USER_TYPE_CUSTOMER = 2;
+    const USER_TYPE_ADMIN = 3;
+    /**#@-*/
+
+    /**
+     * @var RequestLogReader
+     */
+    private $requestLogReader;
+
+    /**
+     * @var RequestLogWriter
+     */
+    private $requestLogWriter;
+
+    /**
+     * @var RequestLogConfig
+     */
+    private $requestLogConfig;
+
+    /**
+     * Initialize dependencies.
+     *
+     * @param RequestLogReader $requestLogReader
+     * @param RequestLogWriter $requestLogWriter
+     * @param RequestLogConfig $requestLogConfig
+     */
+    public function __construct(
+        RequestLogReader $requestLogReader,
+        RequestLogWriter $requestLogWriter,
+        RequestLogConfig $requestLogConfig
+    ) {
+        $this->requestLogReader = $requestLogReader;
+        $this->requestLogWriter = $requestLogWriter;
+        $this->requestLogConfig = $requestLogConfig;
+    }
+
+    /**
+     * Throw exception if user account is currently locked because of too many failed authentication attempts.
+     *
+     * @param string $userName
+     * @param int $userType
+     * @return void
+     * @throws AuthenticationException
+     */
+    public function throttle($userName, $userType)
+    {
+        $count = $this->requestLogReader->getFailuresCount($userName, $userType);
+        if ($count >= $this->requestLogConfig->getMaxFailuresCount()) {
+            throw new AuthenticationException(__('Provided credentials are invalid or user account is locked.'));
+        }
+    }
+
+    /**
+     * Reset count of failed authentication attempts.
+     *
+     * Unlock user account and make generation of OAuth tokens possible for this account again.
+     *
+     * @param string $userName
+     * @param int $userType
+     * @return void
+     */
+    public function resetAuthenticationFailuresCount($userName, $userType)
+    {
+        $this->requestLogWriter->resetFailuresCount($userName, $userType);
+    }
+
+    /**
+     * Increment authentication failures count and lock user account if the limit is reached.
+     *
+     * Account will be locked until lock expires.
+     *
+     * @param string $userName
+     * @param int $userType
+     * @return void
+     */
+    public function logAuthenticationFailure($userName, $userType)
+    {
+        $this->requestLogWriter->incrementFailuresCount($userName, $userType);
+    }
+}