From 64733fb590b74d6f39764265f23b0c0dadd3f771 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Fri, 2 Feb 2024 16:26:08 +0100
Subject: fix: Add bruteforce protection to email endpoint

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 .../lib/Controller/VerificationController.php       | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

(limited to 'apps/provisioning_api')

diff --git a/apps/provisioning_api/lib/Controller/VerificationController.php b/apps/provisioning_api/lib/Controller/VerificationController.php
index f16f50385e7..a373adf7551 100644
--- a/apps/provisioning_api/lib/Controller/VerificationController.php
+++ b/apps/provisioning_api/lib/Controller/VerificationController.php
@@ -77,7 +77,7 @@ class VerificationController extends Controller {
 	 * @NoAdminRequired
 	 * @NoSubAdminRequired
 	 */
-	public function showVerifyMail(string $token, string $userId, string $key) {
+	public function showVerifyMail(string $token, string $userId, string $key): TemplateResponse {
 		if ($this->userSession->getUser()->getUID() !== $userId) {
 			// not a public page, hence getUser() must return an IUser
 			throw new InvalidArgumentException('Logged in user is not mail address owner');
@@ -95,8 +95,10 @@ class VerificationController extends Controller {
 	/**
 	 * @NoAdminRequired
 	 * @NoSubAdminRequired
+	 * @BruteForceProtection(action=emailVerification)
 	 */
-	public function verifyMail(string $token, string $userId, string $key) {
+	public function verifyMail(string $token, string $userId, string $key): TemplateResponse {
+		$throttle = false;
 		try {
 			if ($this->userSession->getUser()->getUID() !== $userId) {
 				throw new InvalidArgumentException('Logged in user is not mail address owner');
@@ -118,9 +120,12 @@ class VerificationController extends Controller {
 			$this->accountManager->updateAccount($userAccount);
 			$this->verificationToken->delete($token, $user, 'verifyMail' . $ref);
 		} catch (InvalidTokenException $e) {
-			$error = $e->getCode() === InvalidTokenException::TOKEN_EXPIRED
-				? $this->l10n->t('Could not verify mail because the token is expired.')
-				: $this->l10n->t('Could not verify mail because the token is invalid.');
+			if ($e->getCode() === InvalidTokenException::TOKEN_EXPIRED) {
+				$error = $this->l10n->t('Could not verify mail because the token is expired.');
+			} else {
+				$throttle = true;
+				$error = $this->l10n->t('Could not verify mail because the token is invalid.');
+			}
 		} catch (InvalidArgumentException $e) {
 			$error = $e->getMessage();
 		} catch (\Exception $e) {
@@ -128,10 +133,14 @@ class VerificationController extends Controller {
 		}
 
 		if (isset($error)) {
-			return new TemplateResponse(
+			$response = new TemplateResponse(
 				'core', 'error', [
 					'errors' => [['error' => $error]]
 				], TemplateResponse::RENDER_AS_GUEST);
+			if ($throttle) {
+				$response->throttle();
+			}
+			return $response;
 		}
 
 		return new TemplateResponse(
-- 
cgit v1.2.3