From a71e81eee29187f2fb496214a395b5d4849e0fcf Mon Sep 17 00:00:00 2001
From: Thulinma <jaron@vietors.com>
Date: Mon, 31 Jan 2022 23:18:40 +0100
Subject: [PATCH] Fix anti-bruteforcing sleep to be outside of any locking

---
 src/controller/controller_api.cpp | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/controller/controller_api.cpp b/src/controller/controller_api.cpp
index 4e935aba..672ce24d 100644
--- a/src/controller/controller_api.cpp
+++ b/src/controller/controller_api.cpp
@@ -409,12 +409,15 @@ int Controller::handleAPIConnection(Socket::Connection &conn){
         }
         if (authorized){
           handleAPICommands(Request, Response);
-        }else{// unauthorized
-          Util::sleep(1000); // sleep a second to prevent bruteforcing
-          logins++;
+          Controller::checkServerLimits(); /*LTS*/
         }
-        Controller::checkServerLimits(); /*LTS*/
       }// config mutex lock
+      if (!authorized){
+        // sleep a second to prevent bruteforcing.
+        // We need to make sure this happens _after_ unlocking the mutex!
+        Util::sleep(1000);
+        logins++;
+      }
       // send the response, either normally or through JSONP callback.
       std::string jsonp = "";
       if (H.GetVar("callback") != ""){jsonp = H.GetVar("callback");}