From 704eb3aa6cecc0a646f5cca4290b595f493f9ed3 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Fri, 20 Jan 2023 13:10:09 +0100
Subject: [PATCH] Add bruteforce protection to password reset page

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 core/Controller/LostController.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php
index 6176e3cd5e5..044535c345b 100644
--- a/core/Controller/LostController.php
+++ b/core/Controller/LostController.php
@@ -128,6 +128,8 @@ class LostController extends Controller {
 	 *
 	 * @PublicPage
 	 * @NoCSRFRequired
+	 * @BruteForceProtection(action=passwordResetEmail)
+	 * @AnonRateThrottle(limit=10, period=300)
 	 */
 	public function resetform(string $token, string $userId): TemplateResponse {
 		try {
@@ -137,12 +139,14 @@ class LostController extends Controller {
 				|| ($e instanceof InvalidTokenException
 					&& !in_array($e->getCode(), [InvalidTokenException::TOKEN_NOT_FOUND, InvalidTokenException::USER_UNKNOWN]))
 			) {
-				return new TemplateResponse(
+				$response = new TemplateResponse(
 					'core', 'error', [
 						"errors" => [["error" => $e->getMessage()]]
 					],
 					TemplateResponse::RENDER_AS_GUEST
 				);
+				$response->throttle();
+				return $response;
 			}
 			return new TemplateResponse('core', 'error', [
 				'errors' => [['error' => $this->l10n->t('Password reset is disabled')]]
-- 
2.39.5