aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoas Schilling <coding@schilljs.com>2024-02-02 16:26:08 +0100
committerJoas Schilling <coding@schilljs.com>2024-02-14 21:14:25 +0100
commite7a5d0cd5f28b026c64886d63a8d4adc60013e35 (patch)
treea94e8560f00f79bcb036431c28d07d33adf7fb60
parent3ce622ffdbe124cb1ce4d7e2a0e7347a6fd88ac7 (diff)
downloadnextcloud-server-e7a5d0cd5f28b026c64886d63a8d4adc60013e35.tar.gz
nextcloud-server-e7a5d0cd5f28b026c64886d63a8d4adc60013e35.zip
fix: Add bruteforce protection to email endpoint
Signed-off-by: Joas Schilling <coding@schilljs.com>
-rw-r--r--apps/provisioning_api/lib/Controller/VerificationController.php21
1 files changed, 15 insertions, 6 deletions
diff --git a/apps/provisioning_api/lib/Controller/VerificationController.php b/apps/provisioning_api/lib/Controller/VerificationController.php
index e184dc13fc6..389ba40c701 100644
--- a/apps/provisioning_api/lib/Controller/VerificationController.php
+++ b/apps/provisioning_api/lib/Controller/VerificationController.php
@@ -80,7 +80,7 @@ class VerificationController extends Controller {
* @NoAdminRequired
* @NoSubAdminRequired
*/
- public function showVerifyMail(string $token, string $userId, string $key) {
+ public function showVerifyMail(string $token, string $userId, string $key): TemplateResponse {
if ($this->userSession->getUser()->getUID() !== $userId) {
// not a public page, hence getUser() must return an IUser
throw new InvalidArgumentException('Logged in account is not mail address owner');
@@ -98,8 +98,10 @@ class VerificationController extends Controller {
/**
* @NoAdminRequired
* @NoSubAdminRequired
+ * @BruteForceProtection(action=emailVerification)
*/
- public function verifyMail(string $token, string $userId, string $key) {
+ public function verifyMail(string $token, string $userId, string $key): TemplateResponse {
+ $throttle = false;
try {
if ($this->userSession->getUser()->getUID() !== $userId) {
throw new InvalidArgumentException('Logged in account is not mail address owner');
@@ -121,9 +123,12 @@ class VerificationController extends Controller {
$this->accountManager->updateAccount($userAccount);
$this->verificationToken->delete($token, $user, 'verifyMail' . $ref);
} catch (InvalidTokenException $e) {
- $error = $e->getCode() === InvalidTokenException::TOKEN_EXPIRED
- ? $this->l10n->t('Could not verify mail because the token is expired.')
- : $this->l10n->t('Could not verify mail because the token is invalid.');
+ if ($e->getCode() === InvalidTokenException::TOKEN_EXPIRED) {
+ $error = $this->l10n->t('Could not verify mail because the token is expired.');
+ } else {
+ $throttle = true;
+ $error = $this->l10n->t('Could not verify mail because the token is invalid.');
+ }
} catch (InvalidArgumentException $e) {
$error = $e->getMessage();
} catch (\Exception $e) {
@@ -131,10 +136,14 @@ class VerificationController extends Controller {
}
if (isset($error)) {
- return new TemplateResponse(
+ $response = new TemplateResponse(
'core', 'error', [
'errors' => [['error' => $error]]
], TemplateResponse::RENDER_AS_GUEST);
+ if ($throttle) {
+ $response->throttle();
+ }
+ return $response;
}
return new TemplateResponse(