Skip to content

Commit

Permalink
fix: Add bruteforce protection to email endpoint
Browse files Browse the repository at this point in the history
Signed-off-by: Joas Schilling <[email protected]>
  • Loading branch information
nickvergessen committed Feb 14, 2024
1 parent 3ce622f commit e7a5d0c
Showing 1 changed file with 15 additions and 6 deletions.
21 changes: 15 additions & 6 deletions apps/provisioning_api/lib/Controller/VerificationController.php
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ public function __construct(
* @NoAdminRequired
* @NoSubAdminRequired
*/
public function showVerifyMail(string $token, string $userId, string $key) {
public function showVerifyMail(string $token, string $userId, string $key): TemplateResponse {
if ($this->userSession->getUser()->getUID() !== $userId) {
// not a public page, hence getUser() must return an IUser
throw new InvalidArgumentException('Logged in account is not mail address owner');
Expand All @@ -98,8 +98,10 @@ public function showVerifyMail(string $token, string $userId, string $key) {
/**
* @NoAdminRequired
* @NoSubAdminRequired
* @BruteForceProtection(action=emailVerification)
*/
public function verifyMail(string $token, string $userId, string $key) {
public function verifyMail(string $token, string $userId, string $key): TemplateResponse {
$throttle = false;
try {
if ($this->userSession->getUser()->getUID() !== $userId) {
throw new InvalidArgumentException('Logged in account is not mail address owner');
Expand All @@ -121,20 +123,27 @@ public function verifyMail(string $token, string $userId, string $key) {
$this->accountManager->updateAccount($userAccount);
$this->verificationToken->delete($token, $user, 'verifyMail' . $ref);
} catch (InvalidTokenException $e) {
$error = $e->getCode() === InvalidTokenException::TOKEN_EXPIRED
? $this->l10n->t('Could not verify mail because the token is expired.')
: $this->l10n->t('Could not verify mail because the token is invalid.');
if ($e->getCode() === InvalidTokenException::TOKEN_EXPIRED) {
$error = $this->l10n->t('Could not verify mail because the token is expired.');
} else {
$throttle = true;
$error = $this->l10n->t('Could not verify mail because the token is invalid.');
}
} catch (InvalidArgumentException $e) {
$error = $e->getMessage();
} catch (\Exception $e) {
$error = $this->l10n->t('An unexpected error occurred. Please contact your admin.');
}

if (isset($error)) {
return new TemplateResponse(
$response = new TemplateResponse(
'core', 'error', [
'errors' => [['error' => $error]]
], TemplateResponse::RENDER_AS_GUEST);
if ($throttle) {
$response->throttle();
}
return $response;
}

return new TemplateResponse(
Expand Down

0 comments on commit e7a5d0c

Please sign in to comment.