Add bruteforce protection to password reset page

Signed-off-by: Joas Schilling <coding@schilljs.com>

diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php
index 6176e3cd5e58ee64d22099e48a283bd2e06d6185..044535c345bc971a3be61924f7f5151c62803b1f 100644 (file)
--- a/core/Controller/LostController.php
+++ b/core/Controller/LostController.php
@@ -128,6 +128,8 @@ class LostController extends Controller {
         *
         * @PublicPage
         * @NoCSRFRequired
+        * @BruteForceProtection(action=passwordResetEmail)
+        * @AnonRateThrottle(limit=10, period=300)
         */
        public function resetform(string $token, string $userId): TemplateResponse {
                try {
@@ -137,12 +139,14 @@ class LostController extends Controller {
                                || ($e instanceof InvalidTokenException
                                        && !in_array($e->getCode(), [InvalidTokenException::TOKEN_NOT_FOUND, InvalidTokenException::USER_UNKNOWN]))
                        ) {
-                               return new TemplateResponse(
+                               $response = new TemplateResponse(
                                        'core', 'error', [
                                                "errors" => [["error" => $e->getMessage()]]
                                        ],
                                        TemplateResponse::RENDER_AS_GUEST
                                );
+                               $response->throttle();
+                               return $response;
                        }
                        return new TemplateResponse('core', 'error', [
                                'errors' => [['error' => $this->l10n->t('Password reset is disabled')]]