upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-05-16 10:30:10 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 13

fix: Add bruteforce protection to email endpoint

Browse source 
Signed-off-by: Joas Schilling <coding@schilljs.com>
This commit is contained in:
Joas Schilling 2024-02-02 16:26:08 +01:00
parent 2f8760cf2e
commit ece2e900a1
No known key found for this signature in database
GPG key ID: 74434EFE0D2E2205
1 changed files with 15 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
apps/provisioning_api/lib/Controller/VerificationController.php
View file

@ -77,7 +77,7 @@ class VerificationController extends Controller {
* @NoAdminRequired
* @NoSubAdminRequired
*/
public function showVerifyMail(string $token, string $userId, string $key) {
public function showVerifyMail(string $token, string $userId, string $key): TemplateResponse {
if ($this->userSession->getUser()->getUID() !== $userId) {
// not a public page, hence getUser() must return an IUser
throw new InvalidArgumentException('Logged in user is not mail address owner');
@ -95,8 +95,10 @@ class VerificationController extends Controller {
/**
* @NoAdminRequired
* @NoSubAdminRequired
* @BruteForceProtection(action=emailVerification)
*/
public function verifyMail(string $token, string $userId, string $key) {
public function verifyMail(string $token, string $userId, string $key): TemplateResponse {
$throttle = false;
try {
if ($this->userSession->getUser()->getUID() !== $userId) {
throw new InvalidArgumentException('Logged in user is not mail address owner');
@ -118,9 +120,12 @@ class VerificationController extends Controller {
$this->accountManager->updateAccount($userAccount);
$this->verificationToken->delete($token, $user, 'verifyMail' . $ref);
} catch (InvalidTokenException $e) {
$error = $e->getCode() === InvalidTokenException::TOKEN_EXPIRED
? $this->l10n->t('Could not verify mail because the token is expired.')
: $this->l10n->t('Could not verify mail because the token is invalid.');
if ($e->getCode() === InvalidTokenException::TOKEN_EXPIRED) {
$error = $this->l10n->t('Could not verify mail because the token is expired.');
} else {
$throttle = true;
$error = $this->l10n->t('Could not verify mail because the token is invalid.');
}
} catch (InvalidArgumentException $e) {
$error = $e->getMessage();
} catch (\Exception $e) {
@ -128,10 +133,14 @@ class VerificationController extends Controller {
}
if (isset($error)) {
return new TemplateResponse(
$response = new TemplateResponse(
'core', 'error', [
'errors' => [['error' => $error]]
], TemplateResponse::RENDER_AS_GUEST);
if ($throttle) {
$response->throttle();
}
return $response;
}
return new TemplateResponse(