MAGETWO-50608: [Github][Security] Able to brute force API token access

Author: Alexander Paliarush

app/code/Magento/Integration/Cron/CleanExpiredAuthenticationFailures.php

@@ -0,0 +1,40 @@
+<?php
+/**
+ * Copyright © 2016 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Integration\Cron;
+
+use Magento\Integration\Model\Oauth\Token\RequestLog\WriterInterface as RequestLogWriter;
+
+/**
+ * Cron class for clearing log of outdated token request authentication failures.
+ */
+class CleanExpiredAuthenticationFailures
+{
+    /**
+     * @var RequestLogWriter
+     */
+    private $requestLogWriter;
+
+    /**
+     * Initialize dependencies.
+     *
+     * @param RequestLogWriter $requestLogWriter
+     */
+    public function __construct(
+        RequestLogWriter $requestLogWriter
+    ) {
+        $this->requestLogWriter = $requestLogWriter;
+    }
+
+    /**
+     * Clearing log of outdated token request authentication failures.
+     *
+     * @return void
+     */
+    public function execute()
+    {
+        $this->requestLogWriter->clearExpiredFailures();
+    }
+}

app/code/Magento/Integration/Model/CustomerTokenService.php

@@ -13,6 +13,7 @@
 use Magento\Integration\Model\Oauth\TokenFactory as TokenModelFactory;
 use Magento\Integration\Model\ResourceModel\Oauth\Token\CollectionFactory as TokenCollectionFactory;
 use Magento\Integration\Model\Oauth\Token\RequestThrottler;
+use Magento\Framework\Exception\AuthenticationException;
 
 class CustomerTokenService implements \Magento\Integration\Api\CustomerTokenServiceInterface
 {
@@ -78,7 +79,9 @@ public function createCustomerAccessToken($username, $password)
             $customerDataObject = $this->accountManagement->authenticate($username, $password);
         } catch (\Exception $e) {
             $this->getRequestThrottler()->logAuthenticationFailure($username, RequestThrottler::USER_TYPE_CUSTOMER);
-            throw $e;
+            throw new AuthenticationException(
+                __('You did not sign in correctly or your account is temporarily disabled.')
+            );
         }
         $this->getRequestThrottler()->resetAuthenticationFailuresCount($username, RequestThrottler::USER_TYPE_CUSTOMER);
         return $this->tokenModelFactory->create()->createCustomerToken($customerDataObject->getId())->getToken();

app/code/Magento/Integration/Model/Oauth/Token/RequestThrottler.php

@@ -66,7 +66,9 @@ public function throttle($userName, $userType)
     {
         $count = $this->requestLogReader->getFailuresCount($userName, $userType);
         if ($count >= $this->requestLogConfig->getMaxFailuresCount()) {
-            throw new AuthenticationException(__('Provided credentials are invalid or user account is locked.'));
+            throw new AuthenticationException(
+                __('You did not sign in correctly or your account is temporarily disabled.')
+            );
         }
     }
 

app/code/Magento/Integration/etc/crontab.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Copyright © 2016 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Cron:etc/crontab.xsd">
+    <group id="default">
+        <job name="outdated_authentication_failures_cleanup" instance="Magento\Integration\Cron\CleanExpiredAuthenticationFailures" method="execute">
+            <schedule>0 1 * * *</schedule>
+        </job>
+    </group>
+</config>