Skip to content

Commit

Permalink
Merge pull request #36574 from nextcloud/backport/36489/stable24
Browse files Browse the repository at this point in the history
[stable24] Add bruteforce protection to password reset page
  • Loading branch information
blizzz authored Feb 7, 2023
2 parents 4de06c5 + f89eacb commit c81f672
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 1 deletion.
6 changes: 5 additions & 1 deletion core/Controller/LostController.php
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,8 @@ public function __construct(
*
* @PublicPage
* @NoCSRFRequired
* @BruteForceProtection(action=passwordResetEmail)
* @AnonRateThrottle(limit=10, period=300)
*
* @param string $token
* @param string $userId
Expand All @@ -147,12 +149,14 @@ public function resetform($token, $userId) {
|| ($e instanceof InvalidTokenException
&& !in_array($e->getCode(), [InvalidTokenException::TOKEN_NOT_FOUND, InvalidTokenException::USER_UNKNOWN]))
) {
return new TemplateResponse(
$response = new TemplateResponse(
'core', 'error', [
"errors" => [["error" => $e->getMessage()]]
],
TemplateResponse::RENDER_AS_GUEST
);
$response->throttle();
return $response;
}
return new TemplateResponse('core', 'error', [
'errors' => [['error' => $this->l10n->t('Password reset is disabled')]]
Expand Down
1 change: 1 addition & 0 deletions tests/Core/Controller/LostControllerTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,7 @@ public function testResetFormTokenError() {
]
],
'guest');
$expectedResponse->throttle();
$this->assertEquals($expectedResponse, $response);
}

Expand Down

0 comments on commit c81f672

Please sign in to comment.