mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-26 00:32:42 +01:00
Add a rate limit to generating new account recovery links for a given account
Summary: Depends on D20665. Ref T13343. We support CAPTCHAs on the "Forgot password?" flow, but not everyone configures them (or necessarily should, since ReCAPTCHA is a huge external dependency run by Google that requires you allow Google to execute JS on your domain) and the rate at which any reasonable user needs to take this action is very low. Put a limit on the rate at which account recovery links may be generated for a particular account, so the worst case is a trickle of annoyance rather than a flood of nonsense. Test Plan: {F6607794} Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13343 Differential Revision: https://secure.phabricator.com/D20666
This commit is contained in:
parent
ced416cc73
commit
80294e7a4a
3 changed files with 29 additions and 0 deletions
|
@ -2265,6 +2265,7 @@ phutil_register_library_map(array(
|
|||
'PhabricatorAuthDisableController' => 'applications/auth/controller/config/PhabricatorAuthDisableController.php',
|
||||
'PhabricatorAuthDowngradeSessionController' => 'applications/auth/controller/PhabricatorAuthDowngradeSessionController.php',
|
||||
'PhabricatorAuthEditController' => 'applications/auth/controller/config/PhabricatorAuthEditController.php',
|
||||
'PhabricatorAuthEmailLoginAction' => 'applications/auth/action/PhabricatorAuthEmailLoginAction.php',
|
||||
'PhabricatorAuthEmailLoginMessageType' => 'applications/auth/message/PhabricatorAuthEmailLoginMessageType.php',
|
||||
'PhabricatorAuthEmailSetPasswordMessageType' => 'applications/auth/message/PhabricatorAuthEmailSetPasswordMessageType.php',
|
||||
'PhabricatorAuthFactor' => 'applications/auth/factor/PhabricatorAuthFactor.php',
|
||||
|
@ -8222,6 +8223,7 @@ phutil_register_library_map(array(
|
|||
'PhabricatorAuthDisableController' => 'PhabricatorAuthProviderConfigController',
|
||||
'PhabricatorAuthDowngradeSessionController' => 'PhabricatorAuthController',
|
||||
'PhabricatorAuthEditController' => 'PhabricatorAuthProviderConfigController',
|
||||
'PhabricatorAuthEmailLoginAction' => 'PhabricatorSystemAction',
|
||||
'PhabricatorAuthEmailLoginMessageType' => 'PhabricatorAuthMessageType',
|
||||
'PhabricatorAuthEmailSetPasswordMessageType' => 'PhabricatorAuthMessageType',
|
||||
'PhabricatorAuthFactor' => 'Phobject',
|
||||
|
|
|
@ -0,0 +1,21 @@
|
|||
<?php
|
||||
|
||||
final class PhabricatorAuthEmailLoginAction extends PhabricatorSystemAction {
|
||||
|
||||
const TYPECONST = 'mail.login';
|
||||
|
||||
public function getActionConstant() {
|
||||
return self::TYPECONST;
|
||||
}
|
||||
|
||||
public function getScoreThreshold() {
|
||||
return 3 / phutil_units('1 hour in seconds');
|
||||
}
|
||||
|
||||
public function getLimitExplanation() {
|
||||
return pht(
|
||||
'Too many account recovery email links have been sent to this account '.
|
||||
'in a short period of time.');
|
||||
}
|
||||
|
||||
}
|
|
@ -34,6 +34,12 @@ final class PhabricatorPeopleEmailLoginMailEngine
|
|||
}
|
||||
|
||||
$recipient = $this->getRecipient();
|
||||
|
||||
PhabricatorSystemActionEngine::willTakeAction(
|
||||
array($recipient->getPHID()),
|
||||
new PhabricatorAuthEmailLoginAction(),
|
||||
1);
|
||||
|
||||
$engine = new PhabricatorAuthSessionEngine();
|
||||
$login_uri = $engine->getOneTimeLoginURI(
|
||||
$recipient,
|
||||
|
|
Loading…
Reference in a new issue