diff options
| author | Joas Schilling <213943+nickvergessen@users.noreply.github.com> | 2024-02-15 10:36:35 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-02-15 10:36:35 +0100 |
| commit | 9c00d128f5fe4774c011e4a0936b2cf831fcd371 (patch) | |
| tree | 50d4bd331df3d6e732ac13454200465bd9e54b55 /apps/provisioning_api | |
| parent | 19bfbe3ce6dd27112fdcd2da0dff998537d328fa (diff) | |
| parent | e7a5d0cd5f28b026c64886d63a8d4adc60013e35 (diff) | |
| download | nextcloud-server-9c00d128f5fe4774c011e4a0936b2cf831fcd371.tar.gz nextcloud-server-9c00d128f5fe4774c011e4a0936b2cf831fcd371.zip | |
Merge pull request #43593 from nextcloud/bugfix/noid/add-missing-bruteforce-protection
fix: Add bruteforce protection to email endpoint
Diffstat (limited to 'apps/provisioning_api')
| -rw-r--r-- | apps/provisioning_api/lib/Controller/VerificationController.php | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/apps/provisioning_api/lib/Controller/VerificationController.php b/apps/provisioning_api/lib/Controller/VerificationController.php index e184dc13fc6..389ba40c701 100644 --- a/apps/provisioning_api/lib/Controller/VerificationController.php +++ b/apps/provisioning_api/lib/Controller/VerificationController.php @@ -80,7 +80,7 @@ class VerificationController extends Controller { * @NoAdminRequired * @NoSubAdminRequired */ - public function showVerifyMail(string $token, string $userId, string $key) { + public function showVerifyMail(string $token, string $userId, string $key): TemplateResponse { if ($this->userSession->getUser()->getUID() !== $userId) { // not a public page, hence getUser() must return an IUser throw new InvalidArgumentException('Logged in account is not mail address owner'); @@ -98,8 +98,10 @@ class VerificationController extends Controller { /** * @NoAdminRequired * @NoSubAdminRequired + * @BruteForceProtection(action=emailVerification) */ - public function verifyMail(string $token, string $userId, string $key) { + public function verifyMail(string $token, string $userId, string $key): TemplateResponse { + $throttle = false; try { if ($this->userSession->getUser()->getUID() !== $userId) { throw new InvalidArgumentException('Logged in account is not mail address owner'); @@ -121,9 +123,12 @@ class VerificationController extends Controller { $this->accountManager->updateAccount($userAccount); $this->verificationToken->delete($token, $user, 'verifyMail' . $ref); } catch (InvalidTokenException $e) { - $error = $e->getCode() === InvalidTokenException::TOKEN_EXPIRED - ? $this->l10n->t('Could not verify mail because the token is expired.') - : $this->l10n->t('Could not verify mail because the token is invalid.'); + if ($e->getCode() === InvalidTokenException::TOKEN_EXPIRED) { + $error = $this->l10n->t('Could not verify mail because the token is expired.'); + } else { + $throttle = true; + $error = $this->l10n->t('Could not verify mail because the token is invalid.'); + } } catch (InvalidArgumentException $e) { $error = $e->getMessage(); } catch (\Exception $e) { @@ -131,10 +136,14 @@ class VerificationController extends Controller { } if (isset($error)) { - return new TemplateResponse( + $response = new TemplateResponse( 'core', 'error', [ 'errors' => [['error' => $error]] ], TemplateResponse::RENDER_AS_GUEST); + if ($throttle) { + $response->throttle(); + } + return $response; } return new TemplateResponse( |