Procházet zdrojové kódy

Fever API: log the client IP address on authentication failure (#8981)

A failed Fever API auth returns {"auth":0} with HTTP 200, so from the web
server log a failure is indistinguishable from a success and fail2ban
cannot act. The failure was already logged to API_LOG, but without the
client IP. Append the remote IP (Minz_Request::connectionRemoteAddress())
so a fail2ban filter watching data/users/_/log_api.txt can ban repeated
attempts.

For https://github.com/FreshRSS/FreshRSS/issues/6814

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Jam Balaya před 2 dny
rodič
revize
988c678634
1 změnil soubory, kde provedl 2 přidání a 1 odebrání
  1. 2 1
      p/api/fever.php

+ 2 - 1
p/api/fever.php

@@ -188,7 +188,8 @@ final class FeverAPI
 				Minz_Log::error('Fever API: Please reset your API password!');
 				Minz_User::change();
 			}
-			Minz_Log::warning('Fever API: wrong credentials! ' . $feverKey, API_LOG);
+			Minz_Log::warning('Fever API: wrong credentials! ' . $feverKey .
+				' ; Remote IP address=' . Minz_Request::connectionRemoteAddress(), API_LOG);
 		}
 		return false;
 	}