diff options
| author | Joas Schilling <213943+nickvergessen@users.noreply.github.com> | 2024-02-15 09:09:14 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-02-15 09:09:14 +0100 |
| commit | 54d5930175ae5506ba50e97555f74231961e9913 (patch) | |
| tree | 08a759a2325975ffe348b5c483f0dfb32e995964 | |
| parent | 3c5b7e6323d2ef302dbf64eed7bc99987470e1fd (diff) | |
| parent | e1e70267ec1afce6de0c3be65555cec366435035 (diff) | |
| download | nextcloud-server-54d5930175ae5506ba50e97555f74231961e9913.tar.gz nextcloud-server-54d5930175ae5506ba50e97555f74231961e9913.zip | |
Merge pull request #43596 from nextcloud/backport/43593/stable28
[stable28] fix: Add bruteforce protection to email endpoint
| -rw-r--r-- | apps/provisioning_api/lib/Controller/VerificationController.php | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/apps/provisioning_api/lib/Controller/VerificationController.php b/apps/provisioning_api/lib/Controller/VerificationController.php index 6b2443796fc..b758ad65034 100644 --- a/apps/provisioning_api/lib/Controller/VerificationController.php +++ b/apps/provisioning_api/lib/Controller/VerificationController.php @@ -80,7 +80,7 @@ class VerificationController extends Controller { * @NoAdminRequired * @NoSubAdminRequired */ - public function showVerifyMail(string $token, string $userId, string $key) { + public function showVerifyMail(string $token, string $userId, string $key): TemplateResponse { if ($this->userSession->getUser()->getUID() !== $userId) { // not a public page, hence getUser() must return an IUser throw new InvalidArgumentException('Logged in user is not mail address owner'); @@ -98,8 +98,10 @@ class VerificationController extends Controller { /** * @NoAdminRequired * @NoSubAdminRequired + * @BruteForceProtection(action=emailVerification) */ - public function verifyMail(string $token, string $userId, string $key) { + public function verifyMail(string $token, string $userId, string $key): TemplateResponse { + $throttle = false; try { if ($this->userSession->getUser()->getUID() !== $userId) { throw new InvalidArgumentException('Logged in user is not mail address owner'); @@ -121,9 +123,12 @@ class VerificationController extends Controller { $this->accountManager->updateAccount($userAccount); $this->verificationToken->delete($token, $user, 'verifyMail' . $ref); } catch (InvalidTokenException $e) { - $error = $e->getCode() === InvalidTokenException::TOKEN_EXPIRED - ? $this->l10n->t('Could not verify mail because the token is expired.') - : $this->l10n->t('Could not verify mail because the token is invalid.'); + if ($e->getCode() === InvalidTokenException::TOKEN_EXPIRED) { + $error = $this->l10n->t('Could not verify mail because the token is expired.'); + } else { + $throttle = true; + $error = $this->l10n->t('Could not verify mail because the token is invalid.'); + } } catch (InvalidArgumentException $e) { $error = $e->getMessage(); } catch (\Exception $e) { @@ -131,10 +136,14 @@ class VerificationController extends Controller { } if (isset($error)) { - return new TemplateResponse( + $response = new TemplateResponse( 'core', 'error', [ 'errors' => [['error' => $error]] ], TemplateResponse::RENDER_AS_GUEST); + if ($throttle) { + $response->throttle(); + } + return $response; } return new TemplateResponse( |