diff options
| author | Joas Schilling <coding@schilljs.com> | 2024-02-02 16:26:08 +0100 |
|---|---|---|
| committer | Joas Schilling <coding@schilljs.com> | 2024-02-15 08:13:03 +0100 |
| commit | e1e70267ec1afce6de0c3be65555cec366435035 (patch) | |
| tree | fe81767575b9c37dd302d52b66e6020aabaca975 /apps | |
| parent | b328015c71733e2512c51a2642eac75b3f822ee2 (diff) | |
| download | nextcloud-server-e1e70267ec1afce6de0c3be65555cec366435035.tar.gz nextcloud-server-e1e70267ec1afce6de0c3be65555cec366435035.zip | |
fix: Add bruteforce protection to email endpoint
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/provisioning_api/lib/Controller/VerificationController.php | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/apps/provisioning_api/lib/Controller/VerificationController.php b/apps/provisioning_api/lib/Controller/VerificationController.php index 6b2443796fc..b758ad65034 100644 --- a/apps/provisioning_api/lib/Controller/VerificationController.php +++ b/apps/provisioning_api/lib/Controller/VerificationController.php @@ -80,7 +80,7 @@ class VerificationController extends Controller { * @NoAdminRequired * @NoSubAdminRequired */ - public function showVerifyMail(string $token, string $userId, string $key) { + public function showVerifyMail(string $token, string $userId, string $key): TemplateResponse { if ($this->userSession->getUser()->getUID() !== $userId) { // not a public page, hence getUser() must return an IUser throw new InvalidArgumentException('Logged in user is not mail address owner'); @@ -98,8 +98,10 @@ class VerificationController extends Controller { /** * @NoAdminRequired * @NoSubAdminRequired + * @BruteForceProtection(action=emailVerification) */ - public function verifyMail(string $token, string $userId, string $key) { + public function verifyMail(string $token, string $userId, string $key): TemplateResponse { + $throttle = false; try { if ($this->userSession->getUser()->getUID() !== $userId) { throw new InvalidArgumentException('Logged in user is not mail address owner'); @@ -121,9 +123,12 @@ class VerificationController extends Controller { $this->accountManager->updateAccount($userAccount); $this->verificationToken->delete($token, $user, 'verifyMail' . $ref); } catch (InvalidTokenException $e) { - $error = $e->getCode() === InvalidTokenException::TOKEN_EXPIRED - ? $this->l10n->t('Could not verify mail because the token is expired.') - : $this->l10n->t('Could not verify mail because the token is invalid.'); + if ($e->getCode() === InvalidTokenException::TOKEN_EXPIRED) { + $error = $this->l10n->t('Could not verify mail because the token is expired.'); + } else { + $throttle = true; + $error = $this->l10n->t('Could not verify mail because the token is invalid.'); + } } catch (InvalidArgumentException $e) { $error = $e->getMessage(); } catch (\Exception $e) { @@ -131,10 +136,14 @@ class VerificationController extends Controller { } if (isset($error)) { - return new TemplateResponse( + $response = new TemplateResponse( 'core', 'error', [ 'errors' => [['error' => $error]] ], TemplateResponse::RENDER_AS_GUEST); + if ($throttle) { + $response->throttle(); + } + return $response; } return new TemplateResponse( |