diff options
| author | Côme Chilliet <come.chilliet@nextcloud.com> | 2022-10-17 14:36:24 +0200 |
|---|---|---|
| committer | Côme Chilliet (Rebase PR Action) <come-nc@users.noreply.github.com> | 2022-10-18 14:49:02 +0000 |
| commit | 71ee29265088462743f21381522f83a536250587 (patch) | |
| tree | 60dc2a5f4784f415a8d06f045b2b95b6184cf6dd /core/Controller/LostController.php | |
| parent | 0270068fedd0282585bb5d2ffd5c823932a8ea72 (diff) | |
| download | nextcloud-server-71ee29265088462743f21381522f83a536250587.tar.gz nextcloud-server-71ee29265088462743f21381522f83a536250587.zip | |
Add rate limiting on lost password emails
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
Diffstat (limited to 'core/Controller/LostController.php')
| -rw-r--r-- | core/Controller/LostController.php | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php index e5dc5218cb1..fadfa242b93 100644 --- a/core/Controller/LostController.php +++ b/core/Controller/LostController.php @@ -36,10 +36,6 @@ namespace OC\Core\Controller; use Exception; -use OC\Authentication\TwoFactorAuth\Manager; -use OC\Core\Events\BeforePasswordResetEvent; -use OC\Core\Events\PasswordResetEvent; -use OC\Core\Exception\ResetPasswordException; use OCP\AppFramework\Controller; use OCP\AppFramework\Http\JSONResponse; use OCP\AppFramework\Http\TemplateResponse; @@ -56,8 +52,14 @@ use OCP\IURLGenerator; use OCP\IUser; use OCP\IUserManager; use OCP\Mail\IMailer; -use OCP\Security\VerificationToken\InvalidTokenException; use OCP\Security\VerificationToken\IVerificationToken; +use OCP\Security\VerificationToken\InvalidTokenException; +use OC\Authentication\TwoFactorAuth\Manager; +use OC\Core\Events\BeforePasswordResetEvent; +use OC\Core\Events\PasswordResetEvent; +use OC\Core\Exception\ResetPasswordException; +use OC\Security\RateLimiting\Exception\RateLimitExceededException; +use OC\Security\RateLimiting\Limiter; use Psr\Log\LoggerInterface; use function array_filter; use function count; @@ -84,6 +86,7 @@ class LostController extends Controller { private IInitialState $initialState; private IVerificationToken $verificationToken; private IEventDispatcher $eventDispatcher; + private Limiter $limiter; public function __construct( string $appName, @@ -100,7 +103,8 @@ class LostController extends Controller { Manager $twoFactorManager, IInitialState $initialState, IVerificationToken $verificationToken, - IEventDispatcher $eventDispatcher + IEventDispatcher $eventDispatcher, + Limiter $limiter ) { parent::__construct($appName, $request); $this->urlGenerator = $urlGenerator; @@ -116,6 +120,7 @@ class LostController extends Controller { $this->initialState = $initialState; $this->verificationToken = $verificationToken; $this->eventDispatcher = $eventDispatcher; + $this->limiter = $limiter; } /** @@ -267,6 +272,12 @@ class LostController extends Controller { throw new ResetPasswordException('Could not send reset e-mail since there is no email for username ' . $input); } + try { + $this->limiter->registerUserRequest('lostpasswordemail', 5, 1800, $user); + } catch (RateLimitExceededException $e) { + throw new ResetPasswordException('Could not send reset e-mail, 5 of them were already sent in the last 30 minutes', 0, $e); + } + // Generate the token. It is stored encrypted in the database with the // secret being the users' email address appended with the system secret. // This makes the token automatically invalidate once the user changes |