recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Add a rate limit to requesting account recovery links from a given remote address

Summary:
Depends on D20666. Ref T13343. In D20666, I limited the rate at which a given user account can be sent account recovery links.

Here, add a companion limit to the rate at which a given remote address may request recovery of any account. This limit is a little more forgiving since reasonable users may plausibly try multiple variations of several email addresses, make typos, etc. The goal is just to hinder attackers from fishing for every address under the sun on installs with no CAPTCHA configured and no broad-spectrum VPN-style access controls.

Test Plan: {F6607846}

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13343

Differential Revision: https://secure.phabricator.com/D20667

epriestley e090b32c 80294e7a

+36
+2
src/__phutil_library_map__.php
··· 2429 2429 'PhabricatorAuthTemporaryTokenTypeModule' => 'applications/auth/tokentype/PhabricatorAuthTemporaryTokenTypeModule.php', 2430 2430 'PhabricatorAuthTerminateSessionController' => 'applications/auth/controller/PhabricatorAuthTerminateSessionController.php', 2431 2431 'PhabricatorAuthTestSMSAction' => 'applications/auth/action/PhabricatorAuthTestSMSAction.php', 2432 + 'PhabricatorAuthTryEmailLoginAction' => 'applications/auth/action/PhabricatorAuthTryEmailLoginAction.php', 2432 2433 'PhabricatorAuthTryFactorAction' => 'applications/auth/action/PhabricatorAuthTryFactorAction.php', 2433 2434 'PhabricatorAuthUnlinkController' => 'applications/auth/controller/PhabricatorAuthUnlinkController.php', 2434 2435 'PhabricatorAuthValidateController' => 'applications/auth/controller/PhabricatorAuthValidateController.php', ··· 8424 8425 'PhabricatorAuthTemporaryTokenTypeModule' => 'PhabricatorConfigModule', 8425 8426 'PhabricatorAuthTerminateSessionController' => 'PhabricatorAuthController', 8426 8427 'PhabricatorAuthTestSMSAction' => 'PhabricatorSystemAction', 8428 + 'PhabricatorAuthTryEmailLoginAction' => 'PhabricatorSystemAction', 8427 8429 'PhabricatorAuthTryFactorAction' => 'PhabricatorSystemAction', 8428 8430 'PhabricatorAuthUnlinkController' => 'PhabricatorAuthController', 8429 8431 'PhabricatorAuthValidateController' => 'PhabricatorAuthController',
+22
src/applications/auth/action/PhabricatorAuthTryEmailLoginAction.php
··· 1 + <?php 2 + 3 + final class PhabricatorAuthTryEmailLoginAction 4 + extends PhabricatorSystemAction { 5 + 6 + const TYPECONST = 'mail.try-login'; 7 + 8 + public function getActionConstant() { 9 + return self::TYPECONST; 10 + } 11 + 12 + public function getScoreThreshold() { 13 + return 20 / phutil_units('1 hour in seconds'); 14 + } 15 + 16 + public function getLimitExplanation() { 17 + return pht( 18 + 'You have made too many account recovery requests in a short period '. 19 + 'of time.'); 20 + } 21 + 22 + }
+8
src/applications/auth/controller/PhabricatorEmailLoginController.php
··· 53 53 // it expensive to fish for valid email addresses while giving the user 54 54 // a better error if they goof their email. 55 55 56 + $action_actor = PhabricatorSystemActionEngine::newActorFromRequest( 57 + $request); 58 + 59 + PhabricatorSystemActionEngine::willTakeAction( 60 + array($action_actor), 61 + new PhabricatorAuthTryEmailLoginAction(), 62 + 1); 63 + 56 64 $target_email = id(new PhabricatorUserEmail())->loadOneWhere( 57 65 'address = %s', 58 66 $v_email);
+4
src/applications/system/engine/PhabricatorSystemActionEngine.php
··· 198 198 return $conn_w->getAffectedRows(); 199 199 } 200 200 201 + public static function newActorFromRequest(AphrontRequest $request) { 202 + return $request->getRemoteAddress(); 203 + } 204 + 201 205 }