Merge pull request #36577 from nextcloud/backport/36489/stable21

[stable21] Add bruteforce protection to password reset page
1 year ago · 2de572a557
parent c08becb293 69c5dc2927
commit 2de572a557
2 changed files with 8 additions and 1 deletions
--- a/core/Controller/LostController.php
+++ b/core/Controller/LostController.php
@ -151,6 +151,8 @@ class LostController extends Controller {
 	 *
 	 * @PublicPage
 	 * @NoCSRFRequired
+	 * @BruteForceProtection(action=passwordResetEmail)
+	 * @AnonRateThrottle(limit=10, period=300)
 	 *
 	 * @param string $token
 	 * @param string $userId
@ -168,12 +170,14 @@ class LostController extends Controller {
 		try {
 			$this->checkPasswordResetToken($token, $userId);
 		} catch (\Exception $e) {
-			return new TemplateResponse(
+			$response = new TemplateResponse(
 				'core', 'error', [
 					"errors" => [["error" => $e->getMessage()]]
 				],
 				'guest'
 			);
+			$response->throttle();
+			return $response;
 		}
 		$this->initialStateService->provideInitialState('core', 'resetPasswordUser', $userId);
 		$this->initialStateService->provideInitialState('core', 'resetPasswordTarget',
--- a/tests/Core/Controller/LostControllerTest.php
+++ b/tests/Core/Controller/LostControllerTest.php
@ -173,6 +173,7 @@ class LostControllerTest extends \Test\TestCase {
 			],
 			'guest'
 		);
+		$expectedResponse->throttle();
 		$this->assertEquals($expectedResponse, $this->lostController->resetform('MySecretToken', 'NotExistingUser'));
 	}

@ -200,6 +201,7 @@ class LostControllerTest extends \Test\TestCase {
 				]
 			],
 			'guest');
+		$expectedResponse->throttle();
 		$this->assertEquals($expectedResponse, $response);
 	}

@ -232,6 +234,7 @@ class LostControllerTest extends \Test\TestCase {
 				]
 			],
 			'guest');
+		$expectedResponse->throttle();
 		$this->assertEquals($expectedResponse, $response);
 	}