diff options
| author | Côme Chilliet <come.chilliet@nextcloud.com> | 2022-10-17 14:36:24 +0200 |
|---|---|---|
| committer | Côme Chilliet <come.chilliet@nextcloud.com> | 2022-11-03 17:50:59 +0100 |
| commit | 26574db8ab27b5971c0c522ba47d7679d87345ec (patch) | |
| tree | 6b330f945135f89570cc322c66e80c4937062476 /core/Controller | |
| parent | 7f47000def372cc90705cdb45fe1acb78ebdc27f (diff) | |
| download | nextcloud-server-26574db8ab27b5971c0c522ba47d7679d87345ec.tar.gz nextcloud-server-26574db8ab27b5971c0c522ba47d7679d87345ec.zip | |
Add rate limiting on lost password emails
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
Diffstat (limited to 'core/Controller')
| -rw-r--r-- | core/Controller/LostController.php | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php index 87a629b9ee8..00a37ce01f4 100644 --- a/core/Controller/LostController.php +++ b/core/Controller/LostController.php @@ -37,6 +37,8 @@ namespace OC\Core\Controller; use OC\Authentication\TwoFactorAuth\Manager; use OC\Core\Exception\ResetPasswordException; +use OC\Security\RateLimiting\Exception\RateLimitExceededException; +use OC\Security\RateLimiting\Limiter; use OCP\AppFramework\Controller; use OCP\AppFramework\Http\JSONResponse; use OCP\AppFramework\Http\TemplateResponse; @@ -91,6 +93,8 @@ class LostController extends Controller { private $initialStateService; /** @var IVerificationToken */ private $verificationToken; + /** @var Limiter */ + private $limiter; public function __construct( $appName, @@ -106,7 +110,8 @@ class LostController extends Controller { ILogger $logger, Manager $twoFactorManager, IInitialStateService $initialStateService, - IVerificationToken $verificationToken + IVerificationToken $verificationToken, + Limiter $limiter ) { parent::__construct($appName, $request); $this->urlGenerator = $urlGenerator; @@ -121,6 +126,7 @@ class LostController extends Controller { $this->twoFactorManager = $twoFactorManager; $this->initialStateService = $initialStateService; $this->verificationToken = $verificationToken; + $this->limiter = $limiter; } /** @@ -294,6 +300,12 @@ class LostController extends Controller { throw new ResetPasswordException('Could not send reset e-mail since there is no email for username ' . $input); } + try { + $this->limiter->registerUserRequest('lostpasswordemail', 5, 1800, $user); + } catch (RateLimitExceededException $e) { + throw new ResetPasswordException('Could not send reset e-mail, 5 of them were already sent in the last 30 minutes', 0, $e); + } + // Generate the token. It is stored encrypted in the database with the // secret being the users' email address appended with the system secret. // This makes the token automatically invalidate once the user changes |