From d4162341e77438f7b4b94e46f3a7ea66b416c684 Mon Sep 17 00:00:00 2001
From: Richard Hansen <rhansen@rhansen.org>
Date: Wed, 26 Aug 2020 21:44:26 -0400
Subject: [PATCH] webaccess: Always sleep for 1s before returning HTTP 401

Not all authentication plugins require the Authorization header, so it
might not be present in subsequent attempts. (In particular, a reverse
proxy might strip it.)
---
 src/node/hooks/express/webaccess.js | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/src/node/hooks/express/webaccess.js b/src/node/hooks/express/webaccess.js
index 0fe75c976..761a46ab8 100644
--- a/src/node/hooks/express/webaccess.js
+++ b/src/node/hooks/express/webaccess.js
@@ -35,17 +35,12 @@ exports.checkAccess = (req, res, next) => {
   const failure = () => {
     return hooks.aCallFirst('authFailure', {req, res, next}, hookResultMangle((ok) => {
       if (ok) return;
-      /* No plugin handler for invalid auth. Return Auth required
-       * Headers, delayed for 1 second, if authentication failed
-       * before. */
+      // No plugin handled the authn/authz failure. Fall back to basic authentication.
       res.header('WWW-Authenticate', 'Basic realm="Protected Area"');
-      if (req.headers.authorization) {
-        setTimeout(() => {
-          res.status(401).send('Authentication required');
-        }, 1000);
-      } else {
-        res.status(401).send('Authentication required');
-      }
+      // Delay the error response for 1s to slow down brute force attacks.
+      setTimeout(() => {
+        res.status(401).send('Authentication Required');
+      }, 1000);
     }));
   };