Skip to content

Stop password reset email spamming #4003

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
MorrisJobke wants to merge 2 commits into from
Closed

Stop password reset email spamming #4003

MorrisJobke wants to merge 2 commits into from

Conversation

@MorrisJobke
Copy link
Member

@MorrisJobke MorrisJobke commented Mar 23, 2017

@MorrisJobke MorrisJobke added 3. to review Waiting for reviews downstream labels Mar 23, 2017
@MorrisJobke MorrisJobke added this to the Nextcloud 12.0 milestone Mar 23, 2017
@mention-bot
Copy link

mention-bot commented Mar 23, 2017

@MorrisJobke, thanks for your PR! By analyzing the history of the files in this pull request, we identified @LukasReschke, @rullzer and @BernhardPosselt to be potential reviewers.

@nickvergessen
Copy link
Member

nickvergessen commented Mar 23, 2017

Should we just use our bruteforce protection?

@MorrisJobke
Copy link
Member Author

MorrisJobke commented Mar 23, 2017

Should we just use our bruteforce protection?

I guess that will not help, because this is more about "Only send the reset email once in x minutes" and does not follow the "make it slower after x failed retries"

@MorrisJobke
Copy link
Member Author

MorrisJobke commented Apr 4, 2017

I tested this and it works fine 👍

@MorrisJobke
Copy link
Member Author

MorrisJobke commented Apr 4, 2017

@nickvergessen @LukasReschke @rullzer @blizzz Please review :)

@imujjwal96 @rullzer
Stop password reset email spamming
36251b6 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
@imujjwal96 @rullzer
Add tests for PR 27346
41cfb7a 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
@rullzer rullzer added 4. to release Ready to be released and/or waiting for tests to finish and removed 3. to review Waiting for reviews labels Apr 5, 2017
@blizzz
Copy link
Member

blizzz commented Apr 5, 2017 

There were 2 warnings:
1) Test\Authentication\Token\DefaultTokenProviderTest::testRenewSessionTokenWithoutPassword
Trying to configure method "getRemember" which cannot be configured because it does not exist, has not been specified, is final, or is static
2) Test\Authentication\Token\DefaultTokenProviderTest::testRenewSessionTokenWithPassword
Trying to configure method "getRemember" which cannot be configured because it does not exist, has not been specified, is final, or is static
--
There were 4 failures:
1) Tests\Core\Controller\LostControllerTest::testSpamEmail
Failed asserting that Array &0 (
    'status' => 'error'
    'msg' => 'Expectation failed for method name is equal to <string:getUserValue> when invoked 1 time(s)
Parameter 0 for invocation OCP\IConfig::getUserValue(Mock_IUser_fa903a8d Object (...), 'core', 'lostpassword', '') does not match expected value.
Mock_IUser_fa903a8d Object (...) does not match expected type "string".'
) is identical to Array &0 (
    'status' => 'error'
    'msg' => 'The email is not sent because a password reset email was sent recently.'
).
/drone/src/github.com/nextcloud/server/tests/Core/Controller/LostControllerTest.php:309
2) Tests\Core\Controller\LostControllerTest::testEmailSuccessful
Failed asserting that Array &0 (
    'status' => 'error'
    'msg' => 'Expectation failed for method name is equal to <string:getUserValue> when invoked 1 time(s)
Parameter 0 for invocation OCP\IConfig::getUserValue(Mock_IUser_fa903a8d Object (...), 'core', 'lostpassword', '') does not match expected value.
Mock_IUser_fa903a8d Object (...) does not match expected type "string".'
) is identical to Array &0 (
    'status' => 'success'
).
/drone/src/github.com/nextcloud/server/tests/Core/Controller/LostControllerTest.php:390
3) Tests\Core\Controller\LostControllerTest::testEmailWithMailSuccessful
Failed asserting that Array &0 (
    'status' => 'error'
    'msg' => 'Expectation failed for method name is equal to <string:setUserValue> when invoked 1 time(s)
Parameter 0 for invocation OCP\IConfig::setUserValue(Mock_IUser_fa903a8d Object (...), 'core', 'lostpassword', 'encryptedToken', null) does not match expected value.
Mock_IUser_fa903a8d Object (...) does not match expected type "string".'
) is identical to Array &0 (
    'status' => 'success'
).
/drone/src/github.com/nextcloud/server/tests/Core/Controller/LostControllerTest.php:461
4) Tests\Core\Controller\LostControllerTest::testEmailCantSendException
Failed asserting that Array &0 (
    'status' => 'error'
    'msg' => 'Expectation failed for method name is equal to <string:setUserValue> when invoked 1 time(s)
Parameter 0 for invocation OCP\IConfig::setUserValue(Mock_IUser_fa903a8d Object (...), 'core', 'lostpassword', 'encryptedToken', null) does not match expected value.
Mock_IUser_fa903a8d Object (...) does not match expected type "string".'
) is identical to Array &0 (
    'status' => 'error'
    'msg' => 'Couldn't send reset email. Please contact your administrator.'
).
/drone/src/github.com/nextcloud/server/tests/Core/Controller/LostControllerTest.php:527

@blizzz blizzz added 2. developing Work in progress and removed 4. to release Ready to be released and/or waiting for tests to finish labels Apr 5, 2017
@nickvergessen
Copy link
Member

nickvergessen commented Apr 5, 2017

I guess that will not help, because this is more about "Only send the reset email once in x minutes" and does not follow the "make it slower after x failed retries"

With our new API we can do that at any time, not only failed attempts.
The advantage is, that it is a "by attacker" blocking instead of a "by victim".

@schiessle
Copy link
Member

schiessle commented Apr 12, 2017
edited
Loading

I would also prefer to use the brute force protection. If I deleted the mail by accident I don't want to wait 5 minutes until I can ask for another one. If people try to spam me, brute-force protection will help (not after the first mail but after a few). That's what it is for.

Also for the user it is completely in-transparent because he doesn't know if he need to wait 5 minutes, 10 minutes, 1 hour, 1 day. Does the counter starts again from zero after any attempt?

@nickvergessen
Copy link
Member

nickvergessen commented Apr 18, 2017

The method now has @BruteForceProtection(action=passwordResetEmail) since #4336

I think this is enough, otherwise we can also add a AnonRateLimit of 60secs, if you think it's not enough?

@MorrisJobke MorrisJobke deleted the backport-27346 branch April 18, 2017 20:54
@LukasReschke LukasReschke mentioned this pull request Apr 22, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rullzer rullzer rullzer approved these changes

@nickvergessen nickvergessen Awaiting requested review from nickvergessen

@LukasReschke LukasReschke Awaiting requested review from LukasReschke

@schiessle schiessle Awaiting requested review from schiessle

@blizzz blizzz Awaiting requested review from blizzz

Assignees

No one assigned

Labels

2. developing Work in progress

Projects

None yet

Milestone

Nextcloud 12.0

Development

Successfully merging this pull request may close these issues.

8 participants

@MorrisJobke @mention-bot @nickvergessen @blizzz @schiessle @rullzer @imujjwal96