fix(lostpassword): Also rate limit the setPassword endpoint

Signed-off-by: Joas Schilling <coding@schilljs.com>
author: Joas Schilling <coding@schilljs.com> 2023-05-15 09:21:07 +0200
committer: Joas Schilling <coding@schilljs.com> 2023-05-15 09:21:07 +0200
commit: 7ee81b65557c84c764a9014a0442c9915c82a9a8 (patch)
tree: a001f9940a3945fcad1bcf3d72c3aef180cf1365 /core/Controller
parent: e18f97fc9506ec14487d68f90edfef4c6eb98361 (diff)
download: nextcloud-server-7ee81b65557c84c764a9014a0442c9915c82a9a8.tar.gz
nextcloud-server-7ee81b65557c84c764a9014a0442c9915c82a9a8.zip
1 files changed, 12 insertions, 6 deletions
diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php
index 51ab8d85a6e..127c6310f6b 100644
--- a/core/Controller/LostController.php
+++ b/core/Controller/LostController.php
@@ -201,7 +201,7 @@ class LostController extends Controller {
 		}
 
 		$user = trim($user);
-		
+
 		\OCP\Util::emitHook(
 			'\OCA\Files_Sharing\API\Server2Server',
 			'preLoginNameUsedAsUserName',
@@ -225,8 +225,10 @@ class LostController extends Controller {
 
 	/**
 	 * @PublicPage
+	 * @BruteForceProtection(action=passwordResetEmail)
+	 * @AnonRateThrottle(limit=10, period=300)
 	 */
-	public function setPassword(string $token, string $userId, string $password, bool $proceed): array {
+	public function setPassword(string $token, string $userId, string $password, bool $proceed): JSONResponse {
 		if ($this->encryptionManager->isEnabled() && !$proceed) {
 			$encryptionModules = $this->encryptionManager->getEncryptionModules();
 			foreach ($encryptionModules as $module) {
@@ -234,7 +236,7 @@ class LostController extends Controller {
 				$instance = call_user_func($module['callback']);
 				// this way we can find out whether per-user keys are used or a system wide encryption key
 				if ($instance->needDetailedAccessList()) {
-					return $this->error('', ['encryption' => true]);
+					return new JSONResponse($this->error('', ['encryption' => true]));
 				}
 			}
 		}
@@ -262,12 +264,16 @@ class LostController extends Controller {
 			$this->config->deleteUserValue($userId, 'core', 'lostpassword');
 			@\OC::$server->getUserSession()->unsetMagicInCookie();
 		} catch (HintException $e) {
-			return $this->error($e->getHint());
+			$response = new JSONResponse($this->error($e->getHint()));
+			$response->throttle();
+			return $response;
 		} catch (Exception $e) {
-			return $this->error($e->getMessage());
+			$response = new JSONResponse($this->error($e->getMessage()));
+			$response->throttle();
+			return $response;
 		}
 
-		return $this->success(['user' => $userId]);
+		return new JSONResponse($this->success(['user' => $userId]));
 	}
 
 	/**
author	Joas Schilling <coding@schilljs.com>	2023-05-15 09:21:07 +0200
committer	Joas Schilling <coding@schilljs.com>	2023-05-15 09:21:07 +0200
commit	7ee81b65557c84c764a9014a0442c9915c82a9a8 (patch)
tree	a001f9940a3945fcad1bcf3d72c3aef180cf1365 /core/Controller
parent	e18f97fc9506ec14487d68f90edfef4c6eb98361 (diff)
download	nextcloud-server-7ee81b65557c84c764a9014a0442c9915c82a9a8.tar.gz nextcloud-server-7ee81b65557c84c764a9014a0442c9915c82a9a8.zip