Add a rate limit to generating new account recovery links for a given account

Summary: Depends on D20665. Ref T13343. We support CAPTCHAs on the "Forgot password?" flow, but not everyone configures them (or necessarily should, since ReCAPTCHA is a huge external dependency run by Google that requires you allow Google to execute JS on your domain) and the rate at which any reasonable user needs to take this action is very low. Put a limit on the rate at which account recovery links may be generated for a particular account, so the worst case is a trickle of annoyance rather than a flood of nonsense. Test Plan: {F6607794} Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13343 Differential Revision: https://secure.phabricator.com/D20666
2024-11-10 08:52:39 +01:00 · 2019-07-19 09:38:20 -07:00 · 2019-07-19 09:38:20 -07:00 · 80294e7a4a
commit 80294e7a4a
parent ced416cc73
3 changed files with 29 additions and 0 deletions
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@ -2265,6 +2265,7 @@ phutil_register_library_map(array(
    'PhabricatorAuthDisableController' => 'applications/auth/controller/config/PhabricatorAuthDisableController.php',
    'PhabricatorAuthDowngradeSessionController' => 'applications/auth/controller/PhabricatorAuthDowngradeSessionController.php',
    'PhabricatorAuthEditController' => 'applications/auth/controller/config/PhabricatorAuthEditController.php',
+    'PhabricatorAuthEmailLoginAction' => 'applications/auth/action/PhabricatorAuthEmailLoginAction.php',
    'PhabricatorAuthEmailLoginMessageType' => 'applications/auth/message/PhabricatorAuthEmailLoginMessageType.php',
    'PhabricatorAuthEmailSetPasswordMessageType' => 'applications/auth/message/PhabricatorAuthEmailSetPasswordMessageType.php',
    'PhabricatorAuthFactor' => 'applications/auth/factor/PhabricatorAuthFactor.php',
@ -8222,6 +8223,7 @@ phutil_register_library_map(array(
    'PhabricatorAuthDisableController' => 'PhabricatorAuthProviderConfigController',
    'PhabricatorAuthDowngradeSessionController' => 'PhabricatorAuthController',
    'PhabricatorAuthEditController' => 'PhabricatorAuthProviderConfigController',
+    'PhabricatorAuthEmailLoginAction' => 'PhabricatorSystemAction',
    'PhabricatorAuthEmailLoginMessageType' => 'PhabricatorAuthMessageType',
    'PhabricatorAuthEmailSetPasswordMessageType' => 'PhabricatorAuthMessageType',
    'PhabricatorAuthFactor' => 'Phobject',
--- a/src/applications/auth/action/PhabricatorAuthEmailLoginAction.php
+++ b/src/applications/auth/action/PhabricatorAuthEmailLoginAction.php
@ -0,0 +1,21 @@
+<?php
+
+final class PhabricatorAuthEmailLoginAction extends PhabricatorSystemAction {
+
+  const TYPECONST = 'mail.login';
+
+  public function getActionConstant() {
+    return self::TYPECONST;
+  }
+
+  public function getScoreThreshold() {
+    return 3 / phutil_units('1 hour in seconds');
+  }
+
+  public function getLimitExplanation() {
+    return pht(
+      'Too many account recovery email links have been sent to this account '.
+      'in a short period of time.');
+  }
+
+}
--- a/src/applications/people/mail/PhabricatorPeopleEmailLoginMailEngine.php
+++ b/src/applications/people/mail/PhabricatorPeopleEmailLoginMailEngine.php
@ -34,6 +34,12 @@ final class PhabricatorPeopleEmailLoginMailEngine
    }

    $recipient = $this->getRecipient();
+
+    PhabricatorSystemActionEngine::willTakeAction(
+      array($recipient->getPHID()),
+      new PhabricatorAuthEmailLoginAction(),
+      1);
+
    $engine = new PhabricatorAuthSessionEngine();
    $login_uri = $engine->getOneTimeLoginURI(
      $recipient,