diff options
| author | Joas Schilling <coding@schilljs.com> | 2024-02-02 16:26:08 +0100 |
|---|---|---|
| committer | Joas Schilling <coding@schilljs.com> | 2024-02-14 21:14:25 +0100 |
| commit | e7a5d0cd5f28b026c64886d63a8d4adc60013e35 (patch) | |
| tree | a94e8560f00f79bcb036431c28d07d33adf7fb60 /apps/provisioning_api/lib | |
| parent | 3ce622ffdbe124cb1ce4d7e2a0e7347a6fd88ac7 (diff) | |
| download | nextcloud-server-e7a5d0cd5f28b026c64886d63a8d4adc60013e35.tar.gz nextcloud-server-e7a5d0cd5f28b026c64886d63a8d4adc60013e35.zip | |
fix: Add bruteforce protection to email endpoint
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'apps/provisioning_api/lib')
| -rw-r--r-- | apps/provisioning_api/lib/Controller/VerificationController.php | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/apps/provisioning_api/lib/Controller/VerificationController.php b/apps/provisioning_api/lib/Controller/VerificationController.php index e184dc13fc6..389ba40c701 100644 --- a/apps/provisioning_api/lib/Controller/VerificationController.php +++ b/apps/provisioning_api/lib/Controller/VerificationController.php @@ -80,7 +80,7 @@ class VerificationController extends Controller { * @NoAdminRequired * @NoSubAdminRequired */ - public function showVerifyMail(string $token, string $userId, string $key) { + public function showVerifyMail(string $token, string $userId, string $key): TemplateResponse { if ($this->userSession->getUser()->getUID() !== $userId) { // not a public page, hence getUser() must return an IUser throw new InvalidArgumentException('Logged in account is not mail address owner'); @@ -98,8 +98,10 @@ class VerificationController extends Controller { /** * @NoAdminRequired * @NoSubAdminRequired + * @BruteForceProtection(action=emailVerification) */ - public function verifyMail(string $token, string $userId, string $key) { + public function verifyMail(string $token, string $userId, string $key): TemplateResponse { + $throttle = false; try { if ($this->userSession->getUser()->getUID() !== $userId) { throw new InvalidArgumentException('Logged in account is not mail address owner'); @@ -121,9 +123,12 @@ class VerificationController extends Controller { $this->accountManager->updateAccount($userAccount); $this->verificationToken->delete($token, $user, 'verifyMail' . $ref); } catch (InvalidTokenException $e) { - $error = $e->getCode() === InvalidTokenException::TOKEN_EXPIRED - ? $this->l10n->t('Could not verify mail because the token is expired.') - : $this->l10n->t('Could not verify mail because the token is invalid.'); + if ($e->getCode() === InvalidTokenException::TOKEN_EXPIRED) { + $error = $this->l10n->t('Could not verify mail because the token is expired.'); + } else { + $throttle = true; + $error = $this->l10n->t('Could not verify mail because the token is invalid.'); + } } catch (InvalidArgumentException $e) { $error = $e->getMessage(); } catch (\Exception $e) { @@ -131,10 +136,14 @@ class VerificationController extends Controller { } if (isset($error)) { - return new TemplateResponse( + $response = new TemplateResponse( 'core', 'error', [ 'errors' => [['error' => $error]] ], TemplateResponse::RENDER_AS_GUEST); + if ($throttle) { + $response->throttle(); + } + return $response; } return new TemplateResponse( |