fix(lostpassword): Also rate limit the setPassword endpoint

Signed-off-by: Joas Schilling <[email protected]>
nextcloud · nickvergessen · May 16, 2023 · May 15, 2023 · May 15, 2023 · May 15, 2023
commit 147d52391340056388a1c6c0d0fb0c6401c92a31
diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php
@@ -247,11 +247,13 @@ public function email($user) {
 
 	/**
 	 * @PublicPage
+	 * @BruteForceProtection(action=passwordResetEmail)
+	 * @AnonRateThrottle(limit=10, period=300)
 	 * @param string $token
 	 * @param string $userId
 	 * @param string $password
 	 * @param boolean $proceed
-	 * @return array
+	 * @return JSONResponse
 	 */
 	public function setPassword($token, $userId, $password, $proceed) {
 		if ($this->encryptionManager->isEnabled() && !$proceed) {
@@ -261,7 +263,7 @@ public function setPassword($token, $userId, $password, $proceed) {
 				$instance = call_user_func($module['callback']);
 				// this way we can find out whether per-user keys are used or a system wide encryption key
 				if ($instance->needDetailedAccessList()) {
-					return $this->error('', ['encryption' => true]);
+					return new JSONResponse($this->error('', ['encryption' => true]));
 				}
 			}
 		}
@@ -283,12 +285,16 @@ public function setPassword($token, $userId, $password, $proceed) {
 			$this->config->deleteUserValue($userId, 'core', 'lostpassword');
 			@\OC::$server->getUserSession()->unsetMagicInCookie();
 		} catch (HintException $e) {
-			return $this->error($e->getHint());
+			$response = new JSONResponse($this->error($e->getHint()));
+			$response->throttle();
+			return $response;
 		} catch (\Exception $e) {
-			return $this->error($e->getMessage());
+			$response = new JSONResponse($this->error($e->getMessage()));
+			$response->throttle();
+			return $response;
 		}
 
-		return $this->success(['user' => $userId]);
+		return new JSONResponse($this->success(['user' => $userId]));
 	}
 
 	/**