Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
use rate limiter for lost username / lost password functionality
  • Loading branch information
Guite committed Sep 20, 2021
1 parent 41900dd commit a122e7d
Show file tree
Hide file tree
Showing 4 changed files with 26 additions and 4 deletions.
1 change: 1 addition & 0 deletions CHANGELOG-3.1.md
Expand Up @@ -48,6 +48,7 @@
- [Theme] Add `Symfony\WebpackEncoreBundle` (#4571).
- Automatically adds webpack assets via a listener.
- [Users/ZAuth] Default authentication method is changed to "native either" (#4351).
- [ZAuth] Utilize rate limiter component for lost username / lost password functionalities.

- Deprecated:
- [General] Controller methods should not have an `Action` suffix in their names anymore.
Expand Down
6 changes: 6 additions & 0 deletions config/packages/rate_limiter.yaml
@@ -0,0 +1,6 @@
framework:
rate_limiter:
lost_credentials:
policy: 'fixed_window'
limit: 20
interval: '60 minutes'
Expand Up @@ -46,10 +46,10 @@ public function __construct(
AssetBag $jsAssetBag,
AssetBag $cssAssetBag,
EntrypointLookupCollectionInterface $lookupCollection,
string $entryPoint = '_default',
string $entryName = 'app',
string $installed,
string $projectDir
string $projectDir,
string $entryPoint = '_default',
string $entryName = 'app'
) {
$this->jsAssetBag = $jsAssetBag;
$this->cssAssetBag = $cssAssetBag;
Expand Down
17 changes: 16 additions & 1 deletion src/system/ZAuthModule/Controller/AccountController.php
Expand Up @@ -18,6 +18,8 @@
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\TooManyRequestsHttpException;
use Symfony\Component\RateLimiter\RateLimiterFactory;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\Routing\RouterInterface;
use Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface;
Expand Down Expand Up @@ -58,6 +60,7 @@ public function lostUserName(
Request $request,
RouterInterface $router,
CurrentUserApiInterface $currentUserApi,
RateLimiterFactory $lostCredentialsLimiter,
AuthenticationMappingRepositoryInterface $authenticationMappingRepository,
VariableApiInterface $variableApi,
MailHelper $mailHelper
Expand All @@ -66,9 +69,15 @@ public function lostUserName(
return $this->redirectToRoute('zikulausersmodule_account_menu');
}


$form = $this->createForm(LostUserNameType::class, []);
$form->handleRequest($request);
if ($form->isSubmitted()) {
if ($form->isSubmitted() && $form->isValid()) {
$limiter = $lostCredentialsLimiter->create($request->getClientIp());
if (false === $limiter->consume(1)->isAccepted()) {
throw new TooManyRequestsHttpException();
}

$data = $form->getData();
$mapping = $authenticationMappingRepository->findBy(['email' => $data['email']]);
if (1 === count($mapping)) {
Expand Down Expand Up @@ -109,6 +118,7 @@ public function lostPassword(
Request $request,
RouterInterface $router,
CurrentUserApiInterface $currentUserApi,
RateLimiterFactory $lostCredentialsLimiter,
UserRepositoryInterface $userRepository,
AuthenticationMappingRepositoryInterface $authenticationMappingRepository,
LostPasswordVerificationHelper $lostPasswordVerificationHelper,
Expand All @@ -124,6 +134,11 @@ public function lostPassword(
$form = $this->createForm(LostPasswordType::class, []);
$form->handleRequest($request);
if ($form->isSubmitted() && $form->isValid()) {
$limiter = $lostCredentialsLimiter->create($request->getClientIp());
if (false === $limiter->consume(1)->isAccepted()) {
throw new TooManyRequestsHttpException();
}

$redirectToRoute = '';
$map = ['uname' => $this->trans('username'), 'email' => $this->trans('email address')];
$data = $form->getData();
Expand Down

0 comments on commit a122e7d

Please sign in to comment.