feat(security): Add a "testing mode" for bruteforce protection that doesn't sleep

Signed-off-by: Joas Schilling <coding@schilljs.com>

config/config.sample.php

@@ -352,6 +352,19 @@ $CONFIG = [
  */
 'auth.bruteforce.protection.enabled' => true,
 
+/**
+ * Whether the bruteforce protection shipped with Nextcloud should be set to testing mode.
+ *
+ * In testing mode bruteforce attempts are still recorded, but the requests do
+ * not sleep/wait for the specified time. They will still abort with
+ * "429 Too Many Requests" when the maximum delay is reached.
+ * Enabling this is discouraged for security reasons
+ * and should only be done for debugging and on CI when running tests.
+ *
+ * Defaults to ``false``
+ */
+'auth.bruteforce.protection.testing' => false,
+
 /**
  * Whether the rate limit protection shipped with Nextcloud should be enabled or not.
  *

lib/private/Security/Bruteforce/Throttler.php

@@ -280,7 +280,9 @@ class Throttler implements IThrottler {
 	 */
 	public function sleepDelay(string $ip, string $action = ''): int {
 		$delay = $this->getDelay($ip, $action);
-		usleep($delay * 1000);
+		if (!$this->config->getSystemValueBool('auth.bruteforce.protection.testing')) {
+			usleep($delay * 1000);
+		}
 		return $delay;
 	}
 
@@ -304,7 +306,9 @@ class Throttler implements IThrottler {
 				'delay' => $delay,
 			]);
 		}
-		usleep($delay * 1000);
+		if (!$this->config->getSystemValueBool('auth.bruteforce.protection.testing')) {
+			usleep($delay * 1000);
+		}
 		return $delay;
 	}
 }