Skip to content

[stable21] fix(lostpassword): Also rate limit the setPassword endpoint #38273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nickvergessen merged 3 commits into from
May 16, 2023
Merged

[stable21] fix(lostpassword): Also rate limit the setPassword endpoint #38273

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8bf2d4a
fix(lostpassword): Also rate limit the setPassword endpoint
nickvergessen May 15, 2023
33f5016
fix(tests): Adjust unit tests
nickvergessen May 15, 2023
4318969
fix(tests): Fix more tests in backport
nickvergessen May 16, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 11 additions & 5 deletions core/Controller/LostController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -283,11 +283,13 @@ public function email($user) {

/**
* @PublicPage
* @BruteForceProtection(action=passwordResetEmail)
* @AnonRateThrottle(limit=10, period=300)
* @param string $token
* @param string $userId
* @param string $password
* @param boolean $proceed
* @return array
* @return JSONResponse
*/
public function setPassword($token, $userId, $password, $proceed) {
if ($this->config->getSystemValue('lost_password_link', '') !== '') {
Expand All @@ -301,7 +303,7 @@ public function setPassword($token, $userId, $password, $proceed) {
$instance = call_user_func($module['callback']);
// this way we can find out whether per-user keys are used or a system wide encryption key
if ($instance->needDetailedAccessList()) {
return $this->error('', ['encryption' => true]);
return new JSONResponse($this->error('', ['encryption' => true]));
}
}
}
Expand All @@ -323,12 +325,16 @@ public function setPassword($token, $userId, $password, $proceed) {
$this->config->deleteUserValue($userId, 'core', 'lostpassword');
@\OC::$server->getUserSession()->unsetMagicInCookie();
} catch (HintException $e) {
return $this->error($e->getHint());
$response = new JSONResponse($this->error($e->getHint()));
$response->throttle();
return $response;
} catch (\Exception $e) {
return $this->error($e->getMessage());
$response = new JSONResponse($this->error($e->getMessage()));
$response->throttle();
return $response;
}

return $this->success(['user' => $userId]);
return new JSONResponse($this->success(['user' => $userId]));
}

/**
Expand Down
20 changes: 10 additions & 10 deletions tests/Core/Controller/LostControllerTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -574,7 +574,7 @@ public function testSetPasswordUnsuccessful() {

$response = $this->lostController->setPassword('TheOnlyAndOnlyOneTokenToResetThePassword', 'ValidTokenUser', 'NewPassword', true);
$expectedResponse = ['status' => 'error', 'msg' => ''];
$this->assertSame($expectedResponse, $response);
$this->assertSame($expectedResponse, $response->getData());
}

public function testSetPasswordSuccessful() {
Expand Down Expand Up @@ -604,7 +604,7 @@ public function testSetPasswordSuccessful() {

$response = $this->lostController->setPassword('TheOnlyAndOnlyOneTokenToResetThePassword', 'ValidTokenUser', 'NewPassword', true);
$expectedResponse = ['user' => 'ValidTokenUser', 'status' => 'success'];
$this->assertSame($expectedResponse, $response);
$this->assertSame($expectedResponse, $response->getData());
}

public function testSetPasswordExpiredToken() {
Expand All @@ -628,7 +628,7 @@ public function testSetPasswordExpiredToken() {
'status' => 'error',
'msg' => 'Couldn\'t reset password because the token is expired',
];
$this->assertSame($expectedResponse, $response);
$this->assertSame($expectedResponse, $response->getData());
}

public function testSetPasswordInvalidDataInDb() {
Expand All @@ -651,7 +651,7 @@ public function testSetPasswordInvalidDataInDb() {
'status' => 'error',
'msg' => 'Couldn\'t reset password because the token is invalid',
];
$this->assertSame($expectedResponse, $response);
$this->assertSame($expectedResponse, $response->getData());
}

public function testSetPasswordExpiredTokenDueToLogin() {
Expand Down Expand Up @@ -679,7 +679,7 @@ public function testSetPasswordExpiredTokenDueToLogin() {
'status' => 'error',
'msg' => 'Couldn\'t reset password because the token is expired',
];
$this->assertSame($expectedResponse, $response);
$this->assertSame($expectedResponse, $response->getData());
}

public function testIsSetPasswordWithoutTokenFailing() {
Expand All @@ -701,7 +701,7 @@ public function testIsSetPasswordWithoutTokenFailing() {
'status' => 'error',
'msg' => 'Couldn\'t reset password because the token is invalid'
];
$this->assertSame($expectedResponse, $response);
$this->assertSame($expectedResponse, $response->getData());
}

public function testIsSetPasswordTokenNullFailing() {
Expand All @@ -717,7 +717,7 @@ public function testIsSetPasswordTokenNullFailing() {
'status' => 'error',
'msg' => 'Couldn\'t reset password because the token is invalid'
];
$this->assertSame($expectedResponse, $response);
$this->assertSame($expectedResponse, $response->getData());
}

public function testSetPasswordForDisabledUser() {
Expand All @@ -740,7 +740,7 @@ public function testSetPasswordForDisabledUser() {
'status' => 'error',
'msg' => 'Couldn\'t reset password because the token is invalid'
];
$this->assertSame($expectedResponse, $response);
$this->assertSame($expectedResponse, $response->getData());
}

public function testSendEmailNoEmail() {
Expand Down Expand Up @@ -776,7 +776,7 @@ public function testSetPasswordEncryptionDontProceedPerUserKey() {
}]]);
$response = $this->lostController->setPassword('myToken', 'user', 'newpass', false);
$expectedResponse = ['status' => 'error', 'msg' => '', 'encryption' => true];
$this->assertSame($expectedResponse, $response);
$this->assertSame($expectedResponse, $response->getData());
}

public function testSetPasswordDontProceedMasterKey() {
Expand Down Expand Up @@ -812,7 +812,7 @@ public function testSetPasswordDontProceedMasterKey() {

$response = $this->lostController->setPassword('TheOnlyAndOnlyOneTokenToResetThePassword', 'ValidTokenUser', 'NewPassword', false);
$expectedResponse = ['user' => 'ValidTokenUser', 'status' => 'success'];
$this->assertSame($expectedResponse, $response);
$this->assertSame($expectedResponse, $response->getData());
}

public function testTwoUsersWithSameEmail() {
Expand Down