From e7a5d0cd5f28b026c64886d63a8d4adc60013e35 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Fri, 2 Feb 2024 16:26:08 +0100
Subject: [PATCH] fix: Add bruteforce protection to email endpoint

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 .../lib/Controller/VerificationController.php | 21 +++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/apps/provisioning_api/lib/Controller/VerificationController.php b/apps/provisioning_api/lib/Controller/VerificationController.php
index e184dc13fc653..389ba40c70133 100644
--- a/apps/provisioning_api/lib/Controller/VerificationController.php
+++ b/apps/provisioning_api/lib/Controller/VerificationController.php
@@ -80,7 +80,7 @@ public function __construct(
 	 * @NoAdminRequired
 	 * @NoSubAdminRequired
 	 */
-	public function showVerifyMail(string $token, string $userId, string $key) {
+	public function showVerifyMail(string $token, string $userId, string $key): TemplateResponse {
 		if ($this->userSession->getUser()->getUID() !== $userId) {
 			// not a public page, hence getUser() must return an IUser
 			throw new InvalidArgumentException('Logged in account is not mail address owner');
@@ -98,8 +98,10 @@ public function showVerifyMail(string $token, string $userId, string $key) {
 	/**
 	 * @NoAdminRequired
 	 * @NoSubAdminRequired
+	 * @BruteForceProtection(action=emailVerification)
 	 */
-	public function verifyMail(string $token, string $userId, string $key) {
+	public function verifyMail(string $token, string $userId, string $key): TemplateResponse {
+		$throttle = false;
 		try {
 			if ($this->userSession->getUser()->getUID() !== $userId) {
 				throw new InvalidArgumentException('Logged in account is not mail address owner');
@@ -121,9 +123,12 @@ public function verifyMail(string $token, string $userId, string $key) {
 			$this->accountManager->updateAccount($userAccount);
 			$this->verificationToken->delete($token, $user, 'verifyMail' . $ref);
 		} catch (InvalidTokenException $e) {
-			$error = $e->getCode() === InvalidTokenException::TOKEN_EXPIRED
-				? $this->l10n->t('Could not verify mail because the token is expired.')
-				: $this->l10n->t('Could not verify mail because the token is invalid.');
+			if ($e->getCode() === InvalidTokenException::TOKEN_EXPIRED) {
+				$error = $this->l10n->t('Could not verify mail because the token is expired.');
+			} else {
+				$throttle = true;
+				$error = $this->l10n->t('Could not verify mail because the token is invalid.');
+			}
 		} catch (InvalidArgumentException $e) {
 			$error = $e->getMessage();
 		} catch (\Exception $e) {
@@ -131,10 +136,14 @@ public function verifyMail(string $token, string $userId, string $key) {
 		}
 
 		if (isset($error)) {
-			return new TemplateResponse(
+			$response = new TemplateResponse(
 				'core', 'error', [
 					'errors' => [['error' => $error]]
 				], TemplateResponse::RENDER_AS_GUEST);
+			if ($throttle) {
+				$response->throttle();
+			}
+			return $response;
 		}
 
 		return new TemplateResponse(