diff options
| author | Joas Schilling <coding@schilljs.com> | 2023-01-20 13:10:09 +0100 |
|---|---|---|
| committer | Joas Schilling <coding@schilljs.com> | 2023-02-02 06:13:49 +0100 |
| commit | 704eb3aa6cecc0a646f5cca4290b595f493f9ed3 (patch) | |
| tree | a19b90b9f71c5ff628e416248aae8d0e3dce2b0e /core/Controller/LostController.php | |
| parent | 41148acf833d401aa6c8bd23617ae8639b6aaae6 (diff) | |
| download | nextcloud-server-704eb3aa6cecc0a646f5cca4290b595f493f9ed3.tar.gz nextcloud-server-704eb3aa6cecc0a646f5cca4290b595f493f9ed3.zip | |
Add bruteforce protection to password reset page
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'core/Controller/LostController.php')
| -rw-r--r-- | core/Controller/LostController.php | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php index 6176e3cd5e5..044535c345b 100644 --- a/core/Controller/LostController.php +++ b/core/Controller/LostController.php @@ -128,6 +128,8 @@ class LostController extends Controller { * * @PublicPage * @NoCSRFRequired + * @BruteForceProtection(action=passwordResetEmail) + * @AnonRateThrottle(limit=10, period=300) */ public function resetform(string $token, string $userId): TemplateResponse { try { @@ -137,12 +139,14 @@ class LostController extends Controller { || ($e instanceof InvalidTokenException && !in_array($e->getCode(), [InvalidTokenException::TOKEN_NOT_FOUND, InvalidTokenException::USER_UNKNOWN])) ) { - return new TemplateResponse( + $response = new TemplateResponse( 'core', 'error', [ "errors" => [["error" => $e->getMessage()]] ], TemplateResponse::RENDER_AS_GUEST ); + $response->throttle(); + return $response; } return new TemplateResponse('core', 'error', [ 'errors' => [['error' => $this->l10n->t('Password reset is disabled')]] |