From 6e66044fcedd1b20ccd2ee7733368cdf8c64a497 Mon Sep 17 00:00:00 2001
From: Alex Bogdanovski <alex@erudika.com>
Date: Mon, 2 Aug 2021 01:27:45 +0300
Subject: [PATCH] fixed possible spamming with password reset emails

---
 .../com/erudika/scoold/controllers/SigninController.java     | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/main/java/com/erudika/scoold/controllers/SigninController.java b/src/main/java/com/erudika/scoold/controllers/SigninController.java
index 3a70865b..b4defa23 100755
--- a/src/main/java/com/erudika/scoold/controllers/SigninController.java
+++ b/src/main/java/com/erudika/scoold/controllers/SigninController.java
@@ -41,6 +41,7 @@
 import org.springframework.web.bind.annotation.RequestParam;
 import static com.erudika.scoold.utils.HttpUtils.getBackToUrl;
 import static com.erudika.scoold.utils.HttpUtils.setAuthCookie;
+import java.util.concurrent.TimeUnit;
 import org.apache.commons.lang3.math.NumberUtils;
 import org.slf4j.LoggerFactory;
 
@@ -360,9 +361,11 @@ private String generatePasswordResetToken(String email, HttpServletRequest req)
 			return "";
 		}
 		Sysprop s = pc.read(email);
-		if (s != null) {
+		// pass reset emails can be sent once every 12h
+		if (s != null && (s.getUpdated() == null || Utils.timestamp() > (s.getUpdated() + TimeUnit.HOURS.toNanos(12)))) {
 			String token = Utils.generateSecurityToken(42, true);
 			s.addProperty(Config._RESET_TOKEN, token);
+			s.setUpdated(Utils.timestamp());
 			if (pc.update(s) != null) {
 				utils.sendPasswordResetEmail(email, token, req);
 			}