summaryrefslogtreecommitdiffstats
path: root/core/Controller
diff options
context:
space:
mode:
authorCôme Chilliet <come.chilliet@nextcloud.com>2022-10-17 14:36:24 +0200
committerCôme Chilliet (Rebase PR Action) <come-nc@users.noreply.github.com>2022-10-18 14:49:02 +0000
commit71ee29265088462743f21381522f83a536250587 (patch)
tree60dc2a5f4784f415a8d06f045b2b95b6184cf6dd /core/Controller
parent0270068fedd0282585bb5d2ffd5c823932a8ea72 (diff)
downloadnextcloud-server-71ee29265088462743f21381522f83a536250587.tar.gz
nextcloud-server-71ee29265088462743f21381522f83a536250587.zip
Add rate limiting on lost password emails
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
Diffstat (limited to 'core/Controller')
-rw-r--r--core/Controller/LostController.php23
1 files changed, 17 insertions, 6 deletions
diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php
index e5dc5218cb1..fadfa242b93 100644
--- a/core/Controller/LostController.php
+++ b/core/Controller/LostController.php
@@ -36,10 +36,6 @@
namespace OC\Core\Controller;
use Exception;
-use OC\Authentication\TwoFactorAuth\Manager;
-use OC\Core\Events\BeforePasswordResetEvent;
-use OC\Core\Events\PasswordResetEvent;
-use OC\Core\Exception\ResetPasswordException;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\Http\TemplateResponse;
@@ -56,8 +52,14 @@ use OCP\IURLGenerator;
use OCP\IUser;
use OCP\IUserManager;
use OCP\Mail\IMailer;
-use OCP\Security\VerificationToken\InvalidTokenException;
use OCP\Security\VerificationToken\IVerificationToken;
+use OCP\Security\VerificationToken\InvalidTokenException;
+use OC\Authentication\TwoFactorAuth\Manager;
+use OC\Core\Events\BeforePasswordResetEvent;
+use OC\Core\Events\PasswordResetEvent;
+use OC\Core\Exception\ResetPasswordException;
+use OC\Security\RateLimiting\Exception\RateLimitExceededException;
+use OC\Security\RateLimiting\Limiter;
use Psr\Log\LoggerInterface;
use function array_filter;
use function count;
@@ -84,6 +86,7 @@ class LostController extends Controller {
private IInitialState $initialState;
private IVerificationToken $verificationToken;
private IEventDispatcher $eventDispatcher;
+ private Limiter $limiter;
public function __construct(
string $appName,
@@ -100,7 +103,8 @@ class LostController extends Controller {
Manager $twoFactorManager,
IInitialState $initialState,
IVerificationToken $verificationToken,
- IEventDispatcher $eventDispatcher
+ IEventDispatcher $eventDispatcher,
+ Limiter $limiter
) {
parent::__construct($appName, $request);
$this->urlGenerator = $urlGenerator;
@@ -116,6 +120,7 @@ class LostController extends Controller {
$this->initialState = $initialState;
$this->verificationToken = $verificationToken;
$this->eventDispatcher = $eventDispatcher;
+ $this->limiter = $limiter;
}
/**
@@ -267,6 +272,12 @@ class LostController extends Controller {
throw new ResetPasswordException('Could not send reset e-mail since there is no email for username ' . $input);
}
+ try {
+ $this->limiter->registerUserRequest('lostpasswordemail', 5, 1800, $user);
+ } catch (RateLimitExceededException $e) {
+ throw new ResetPasswordException('Could not send reset e-mail, 5 of them were already sent in the last 30 minutes', 0, $e);
+ }
+
// Generate the token. It is stored encrypted in the database with the
// secret being the users' email address appended with the system secret.
// This makes the token automatically invalidate once the user changes