[stable28] feat: don't count failed CSRF as failed login attempt

core/Controller/LoginController.php

@@ -232,7 +232,7 @@ private function setPasswordResetInitialState(?string $username): void {
 			$this->canResetPassword($passwordLink, $user)
 		);
 	}
-	
+
 	/**
 	 * Sets the initial state of whether or not a user is allowed to login with their email
 	 * initial state is passed in the array of 1 for email allowed and 0 for not allowed
@@ -326,7 +326,8 @@ public function tryLogin(Chain $loginChain,
 				$user,
 				$user,
 				$redirect_url,
-				self::LOGIN_MSG_CSRFCHECKFAILED
+				self::LOGIN_MSG_CSRFCHECKFAILED,
+				false,
 			);
 		}
 
@@ -376,7 +377,12 @@ public function tryLogin(Chain $loginChain,
 	 * @return RedirectResponse
 	 */
 	private function createLoginFailedResponse(
-		$user, $originalUser, $redirect_url, string $loginMessage) {
+		$user,
+		$originalUser,
+		$redirect_url,
+		string $loginMessage,
+		bool $throttle = true,
+	) {
 		// Read current user and append if possible we need to
 		// return the unmodified user otherwise we will leak the login name
 		$args = $user !== null ? ['user' => $originalUser, 'direct' => 1] : [];
@@ -386,7 +392,9 @@ private function createLoginFailedResponse(
 		$response = new RedirectResponse(
 			$this->urlGenerator->linkToRoute('core.login.showLoginForm', $args)
 		);
-		$response->throttle(['user' => substr($user, 0, 64)]);
+		if ($throttle) {
+			$response->throttle(['user' => substr($user, 0, 64)]);
+		}
 		$this->session->set('loginMessages', [
 			[$loginMessage], []
 		]);

tests/Core/Controller/LoginControllerTest.php

@@ -544,7 +544,6 @@ public function testLoginWithoutPassedCsrfCheckAndNotLoggedIn(): void {
 		$response = $this->loginController->tryLogin($loginChain, 'Jane', $password, $originalUrl);
 
 		$expected = new RedirectResponse('');
-		$expected->throttle(['user' => 'Jane']);
 		$this->assertEquals($expected, $response);
 	}