Apply rate limiting to forgot password (NamelessMC#3130)

* Apply rate limiting to forgot password * Update modules/Core/pages/forgot_password.php Co-authored-by: Tadhg Boyle <tadhgsmboyle@gmail.com> * remove unused variable * Use static function * Allow two attempts per minute * Update forgot_password.php Co-authored-by: Tadhg Boyle <tadhgsmboyle@gmail.com>
Pepe-tf · Dec 12, 2022 · b933903 · b933903
1 parent f5c3a7d
commit b933903
Showing 1 changed file with 16 additions and 3 deletions.
diff --git a/modules/Core/pages/forgot_password.php b/modules/Core/pages/forgot_password.php
@@ -23,9 +23,20 @@
     // Enter email address form
     if (Input::exists()) {
         if (Token::check()) {
-            if (!isset($_POST['email']) || empty($_POST['email'])) {
-                $error = $language->get('user', 'email_required');
-            } else {
+
+            $validation = Validate::check([
+                'email' => [
+                    Validate::REQUIRED => true,
+                    Validate::RATE_LIMIT => [2, 60] // 2 attempts every 60 seconds
+                ]
+            ])->messages([
+                'email' => [
+                    Validate::REQUIRED => $language->get('user', 'email_required'),
+                    Validate::RATE_LIMIT => static fn($meta) => $language->get('general', 'rate_limit', $meta)
+                ]
+            ]);
+
+            if ($validation->passed()) {
                 // Check to see if the email exists
                 $target_user = new User(Input::get('email'), 'email');
                 if ($target_user->exists() && $target_user->data()->active) {
@@ -61,6 +72,8 @@
                 }
 
                 $success = $language->get('user', 'forgot_password_email_sent');
+            } else {
+                $error = join('<br />', $validation->errors());
             }
         } else {
             $error = $language->get('general', 'invalid_token');