Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add bruteforce protection to password reset page #36489

Merged
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Next
Add bruteforce protection to password reset page
Signed-off-by: Joas Schilling <coding@schilljs.com>
  • Loading branch information
nickvergessen committed Feb 2, 2023
commit 704eb3aa6cecc0a646f5cca4290b595f493f9ed3
6 changes: 5 additions & 1 deletion core/Controller/LostController.php
Expand Up @@ -128,6 +128,8 @@ public function __construct(
*
* @PublicPage
* @NoCSRFRequired
* @BruteForceProtection(action=passwordResetEmail)
* @AnonRateThrottle(limit=10, period=300)
*/
public function resetform(string $token, string $userId): TemplateResponse {
try {
Expand All @@ -137,12 +139,14 @@ public function resetform(string $token, string $userId): TemplateResponse {
|| ($e instanceof InvalidTokenException
&& !in_array($e->getCode(), [InvalidTokenException::TOKEN_NOT_FOUND, InvalidTokenException::USER_UNKNOWN]))
) {
return new TemplateResponse(
$response = new TemplateResponse(
'core', 'error', [
"errors" => [["error" => $e->getMessage()]]
],
TemplateResponse::RENDER_AS_GUEST
);
$response->throttle();
return $response;
}
return new TemplateResponse('core', 'error', [
'errors' => [['error' => $this->l10n->t('Password reset is disabled')]]
Expand Down