1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-26 07:20:57 +01:00

Add a rate limit to generating new account recovery links for a given account

Summary:
Depends on D20665. Ref T13343. We support CAPTCHAs on the "Forgot password?" flow, but not everyone configures them (or necessarily should, since ReCAPTCHA is a huge external dependency run by Google that requires you allow Google to execute JS on your domain) and the rate at which any reasonable user needs to take this action is very low.

Put a limit on the rate at which account recovery links may be generated for a particular account, so the worst case is a trickle of annoyance rather than a flood of nonsense.

Test Plan: {F6607794}

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13343

Differential Revision: https://secure.phabricator.com/D20666
This commit is contained in:
epriestley 2019-07-19 09:38:20 -07:00
parent ced416cc73
commit 80294e7a4a
3 changed files with 29 additions and 0 deletions

View file

@ -2265,6 +2265,7 @@ phutil_register_library_map(array(
'PhabricatorAuthDisableController' => 'applications/auth/controller/config/PhabricatorAuthDisableController.php',
'PhabricatorAuthDowngradeSessionController' => 'applications/auth/controller/PhabricatorAuthDowngradeSessionController.php',
'PhabricatorAuthEditController' => 'applications/auth/controller/config/PhabricatorAuthEditController.php',
'PhabricatorAuthEmailLoginAction' => 'applications/auth/action/PhabricatorAuthEmailLoginAction.php',
'PhabricatorAuthEmailLoginMessageType' => 'applications/auth/message/PhabricatorAuthEmailLoginMessageType.php',
'PhabricatorAuthEmailSetPasswordMessageType' => 'applications/auth/message/PhabricatorAuthEmailSetPasswordMessageType.php',
'PhabricatorAuthFactor' => 'applications/auth/factor/PhabricatorAuthFactor.php',
@ -8222,6 +8223,7 @@ phutil_register_library_map(array(
'PhabricatorAuthDisableController' => 'PhabricatorAuthProviderConfigController',
'PhabricatorAuthDowngradeSessionController' => 'PhabricatorAuthController',
'PhabricatorAuthEditController' => 'PhabricatorAuthProviderConfigController',
'PhabricatorAuthEmailLoginAction' => 'PhabricatorSystemAction',
'PhabricatorAuthEmailLoginMessageType' => 'PhabricatorAuthMessageType',
'PhabricatorAuthEmailSetPasswordMessageType' => 'PhabricatorAuthMessageType',
'PhabricatorAuthFactor' => 'Phobject',

View file

@ -0,0 +1,21 @@
<?php
final class PhabricatorAuthEmailLoginAction extends PhabricatorSystemAction {
const TYPECONST = 'mail.login';
public function getActionConstant() {
return self::TYPECONST;
}
public function getScoreThreshold() {
return 3 / phutil_units('1 hour in seconds');
}
public function getLimitExplanation() {
return pht(
'Too many account recovery email links have been sent to this account '.
'in a short period of time.');
}
}

View file

@ -34,6 +34,12 @@ final class PhabricatorPeopleEmailLoginMailEngine
}
$recipient = $this->getRecipient();
PhabricatorSystemActionEngine::willTakeAction(
array($recipient->getPHID()),
new PhabricatorAuthEmailLoginAction(),
1);
$engine = new PhabricatorAuthSessionEngine();
$login_uri = $engine->getOneTimeLoginURI(
$recipient,