Преглед изворни кода
fix: Add bruteforce protection to email endpoint
Signed-off-by: Joas Schilling <coding@schilljs.com>tags/v29.0.0beta1
Joas Schilling
пре 4 месеци
1 измењених фајлова са 15 додато и 6 уклоњено
+ 15
- 6
apps/provisioning_api/lib/Controller/VerificationController.php
Прегледај датотеку
| @@ -80,7 +80,7 @@ class VerificationController extends Controller { | |||
| * @NoAdminRequired | |||
| * @NoSubAdminRequired | |||
| */ | |||
| public function showVerifyMail(string $token, string $userId, string $key) { | |||
| public function showVerifyMail(string $token, string $userId, string $key): TemplateResponse { | |||
| if ($this->userSession->getUser()->getUID() !== $userId) { | |||
| // not a public page, hence getUser() must return an IUser | |||
| throw new InvalidArgumentException('Logged in account is not mail address owner'); | |||
| @@ -98,8 +98,10 @@ class VerificationController extends Controller { | |||
| /** | |||
| * @NoAdminRequired | |||
| * @NoSubAdminRequired | |||
| * @BruteForceProtection(action=emailVerification) | |||
| */ | |||
| public function verifyMail(string $token, string $userId, string $key) { | |||
| public function verifyMail(string $token, string $userId, string $key): TemplateResponse { | |||
| $throttle = false; | |||
| try { | |||
| if ($this->userSession->getUser()->getUID() !== $userId) { | |||
| throw new InvalidArgumentException('Logged in account is not mail address owner'); | |||
| @@ -121,9 +123,12 @@ class VerificationController extends Controller { | |||
| $this->accountManager->updateAccount($userAccount); | |||
| $this->verificationToken->delete($token, $user, 'verifyMail' . $ref); | |||
| } catch (InvalidTokenException $e) { | |||
| $error = $e->getCode() === InvalidTokenException::TOKEN_EXPIRED | |||
| ? $this->l10n->t('Could not verify mail because the token is expired.') | |||
| : $this->l10n->t('Could not verify mail because the token is invalid.'); | |||
| if ($e->getCode() === InvalidTokenException::TOKEN_EXPIRED) { | |||
| $error = $this->l10n->t('Could not verify mail because the token is expired.'); | |||
| } else { | |||
| $throttle = true; | |||
| $error = $this->l10n->t('Could not verify mail because the token is invalid.'); | |||
| } | |||
| } catch (InvalidArgumentException $e) { | |||
| $error = $e->getMessage(); | |||
| } catch (\Exception $e) { | |||
| @@ -131,10 +136,14 @@ class VerificationController extends Controller { | |||
| } | |||
| if (isset($error)) { | |||
| return new TemplateResponse( | |||
| $response = new TemplateResponse( | |||
| 'core', 'error', [ | |||
| 'errors' => [['error' => $error]] | |||
| ], TemplateResponse::RENDER_AS_GUEST); | |||
| if ($throttle) { | |||
| $response->throttle(); | |||
| } | |||
| return $response; | |||
| } | |||
| return new TemplateResponse( | |||
Loading…