diff options
| author | Joas Schilling <coding@schilljs.com> | 2024-02-02 16:26:08 +0100 |
|---|---|---|
| committer | Joas Schilling <coding@schilljs.com> | 2024-02-15 08:15:22 +0100 |
| commit | 64733fb590b74d6f39764265f23b0c0dadd3f771 (patch) | |
| tree | a3d016689b553af89e84e8101aa6a20b656c1dcc /apps/provisioning_api | |
| parent | 2f4063970722fb71fbace807f92e0331f61e7ef9 (diff) | |
| download | nextcloud-server-64733fb590b74d6f39764265f23b0c0dadd3f771.tar.gz nextcloud-server-64733fb590b74d6f39764265f23b0c0dadd3f771.zip | |
fix: Add bruteforce protection to email endpoint
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'apps/provisioning_api')
| -rw-r--r-- | apps/provisioning_api/lib/Controller/VerificationController.php | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/apps/provisioning_api/lib/Controller/VerificationController.php b/apps/provisioning_api/lib/Controller/VerificationController.php index f16f50385e7..a373adf7551 100644 --- a/apps/provisioning_api/lib/Controller/VerificationController.php +++ b/apps/provisioning_api/lib/Controller/VerificationController.php @@ -77,7 +77,7 @@ class VerificationController extends Controller { * @NoAdminRequired * @NoSubAdminRequired */ - public function showVerifyMail(string $token, string $userId, string $key) { + public function showVerifyMail(string $token, string $userId, string $key): TemplateResponse { if ($this->userSession->getUser()->getUID() !== $userId) { // not a public page, hence getUser() must return an IUser throw new InvalidArgumentException('Logged in user is not mail address owner'); @@ -95,8 +95,10 @@ class VerificationController extends Controller { /** * @NoAdminRequired * @NoSubAdminRequired + * @BruteForceProtection(action=emailVerification) */ - public function verifyMail(string $token, string $userId, string $key) { + public function verifyMail(string $token, string $userId, string $key): TemplateResponse { + $throttle = false; try { if ($this->userSession->getUser()->getUID() !== $userId) { throw new InvalidArgumentException('Logged in user is not mail address owner'); @@ -118,9 +120,12 @@ class VerificationController extends Controller { $this->accountManager->updateAccount($userAccount); $this->verificationToken->delete($token, $user, 'verifyMail' . $ref); } catch (InvalidTokenException $e) { - $error = $e->getCode() === InvalidTokenException::TOKEN_EXPIRED - ? $this->l10n->t('Could not verify mail because the token is expired.') - : $this->l10n->t('Could not verify mail because the token is invalid.'); + if ($e->getCode() === InvalidTokenException::TOKEN_EXPIRED) { + $error = $this->l10n->t('Could not verify mail because the token is expired.'); + } else { + $throttle = true; + $error = $this->l10n->t('Could not verify mail because the token is invalid.'); + } } catch (InvalidArgumentException $e) { $error = $e->getMessage(); } catch (\Exception $e) { @@ -128,10 +133,14 @@ class VerificationController extends Controller { } if (isset($error)) { - return new TemplateResponse( + $response = new TemplateResponse( 'core', 'error', [ 'errors' => [['error' => $error]] ], TemplateResponse::RENDER_AS_GUEST); + if ($throttle) { + $response->throttle(); + } + return $response; } return new TemplateResponse( |