Skip to content

Commit

Permalink
Merge pull request #36489 from nextcloud/bugfix/noid/brute-force-prot…
Browse files Browse the repository at this point in the history
…ection-password-reset

Add bruteforce protection to password reset page
  • Loading branch information
nickvergessen authored Feb 6, 2023
2 parents fa1d50c + 875e6cf commit 5957881
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 1 deletion.
6 changes: 5 additions & 1 deletion core/Controller/LostController.php
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,8 @@ public function __construct(
*
* @PublicPage
* @NoCSRFRequired
* @BruteForceProtection(action=passwordResetEmail)
* @AnonRateThrottle(limit=10, period=300)
*/
public function resetform(string $token, string $userId): TemplateResponse {
try {
Expand All @@ -137,12 +139,14 @@ public function resetform(string $token, string $userId): TemplateResponse {
|| ($e instanceof InvalidTokenException
&& !in_array($e->getCode(), [InvalidTokenException::TOKEN_NOT_FOUND, InvalidTokenException::USER_UNKNOWN]))
) {
return new TemplateResponse(
$response = new TemplateResponse(
'core', 'error', [
"errors" => [["error" => $e->getMessage()]]
],
TemplateResponse::RENDER_AS_GUEST
);
$response->throttle();
return $response;
}
return new TemplateResponse('core', 'error', [
'errors' => [['error' => $this->l10n->t('Password reset is disabled')]]
Expand Down
1 change: 1 addition & 0 deletions tests/Core/Controller/LostControllerTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,7 @@ public function testResetFormTokenError() {
]
],
'guest');
$expectedResponse->throttle();
$this->assertEquals($expectedResponse, $response);
}

Expand Down

0 comments on commit 5957881

Please sign in to comment.