protected function checkThrottling($action, UserInterface $user = null)
{
// If we are just checking an existing logged in person, the global delay
// shouldn't stop them being logged in at all. Only their IP address and
// user a
if ($action === 'login') {
$globalDelay = $this->throttle->globalDelay();
if ($globalDelay > 0) {
$this->throwException("Too many unsuccessful attempts have been made globally, logins are locked for another [{$globalDelay}] second(s).", 'global', $globalDelay);
}
}
// Suspicious activity from a single IP address will not only lock
// logins but also any logged in users from that IP address. This
// should deter a single hacker who may have guessed a password
// within the configured throttling limit.
if (isset($this->ipAddress)) {
$ipDelay = $this->throttle->ipDelay($this->ipAddress);
if ($ipDelay > 0) {
$this->throwException("Suspicious activity has occured on your IP address and you have been denied access for another [{$ipDelay}] second(s).", 'ip', $ipDelay);
}
}
// We will only suspend people logging into a user account. This will
// leave the logged in user unaffected. Picture a famous person who's
// account is being locked as they're logged in, purely because
// others are trying to hack it.
if ($action === 'login' && isset($user)) {
$userDelay = $this->throttle->userDelay($user);
if ($userDelay > 0) {
$this->throwException("Too many unsuccessful login attempts have been made against your account. Please try again after another [{$userDelay}] second(s).", 'user', $userDelay);
}
}
return true;
}
