From ca764caf2d55a5c9bac61718d656423b0c3a060b Mon Sep 17 00:00:00 2001
From: Dan Brown <ssddanbrown@googlemail.com>
Date: Fri, 8 Oct 2021 23:19:37 +0100
Subject: [PATCH] Added throttling to password reset requests

---
 app/Config/auth.php                              |  1 +
 .../Auth/ForgotPasswordController.php            |  2 +-
 tests/Auth/AuthTest.php                          | 16 ++++++++++++++++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/app/Config/auth.php b/app/Config/auth.php
index 404b5352dcc..23b9039b970 100644
--- a/app/Config/auth.php
+++ b/app/Config/auth.php
@@ -70,6 +70,7 @@
             'email'    => 'emails.password',
             'table'    => 'password_resets',
             'expire'   => 60,
+            'throttle' => 60,
         ],
     ],
 
diff --git a/app/Http/Controllers/Auth/ForgotPasswordController.php b/app/Http/Controllers/Auth/ForgotPasswordController.php
index 3df0608f87f..8eaee08a2b4 100644
--- a/app/Http/Controllers/Auth/ForgotPasswordController.php
+++ b/app/Http/Controllers/Auth/ForgotPasswordController.php
@@ -56,7 +56,7 @@ public function sendResetLinkEmail(Request $request)
             $this->logActivity(ActivityType::AUTH_PASSWORD_RESET, $request->get('email'));
         }
 
-        if ($response === Password::RESET_LINK_SENT || $response === Password::INVALID_USER) {
+        if (in_array($response, [Password::RESET_LINK_SENT, Password::INVALID_USER, Password::RESET_THROTTLED])) {
             $message = trans('auth.reset_password_sent', ['email' => $request->get('email')]);
             $this->showSuccessNotification($message);
 
diff --git a/tests/Auth/AuthTest.php b/tests/Auth/AuthTest.php
index d037b57011f..f19011c46ab 100644
--- a/tests/Auth/AuthTest.php
+++ b/tests/Auth/AuthTest.php
@@ -282,6 +282,22 @@ public function test_reset_password_page_shows_sign_links()
             ->assertElementContains('a', 'Sign up');
     }
 
+    public function test_reset_password_request_is_throttled()
+    {
+        $editor = $this->getEditor();
+        Notification::fake();
+        $this->get('/password/email');
+        $this->followingRedirects()->post('/password/email', [
+            'email' => $editor->email,
+        ]);
+
+        $resp = $this->followingRedirects()->post('/password/email', [
+            'email' => $editor->email,
+        ]);
+        Notification::assertTimesSent(1, ResetPassword::class);
+        $resp->assertSee('A password reset link will be sent to ' . $editor->email . ' if that email address is found in the system.');
+    }
+
     public function test_login_redirects_to_initially_requested_url_correctly()
     {
         config()->set('app.url', 'http://localhost');