Added rate limiting for login and forgot password

2026-01-06 07:41:05 +01:00 · 2017-08-28 14:24:48 -06:00
parent 0c11df8f67
commit 87d4c28b4a
3 changed files with 24 additions and 4 deletions
--- a/classes/admincontroller.php
+++ b/classes/admincontroller.php
@@ -1152,6 +1152,7 @@ class AdminController extends AdminBaseController
        $param_sep = $this->grav['config']->get('system.param_sep', ':');
        $post      = $this->post;
        $data      = $this->data;
+        $login     = $this->grav['login'];

        $username = isset($data['username']) ? strip_tags(strtolower($data['username'])) : '';
        $user     = !empty($username) ? User::load($username) : null;
@@ -1179,6 +1180,16 @@ class AdminController extends AdminBaseController
            return true;
        }

+        $count = $this->grav['config']->get('plugins.login.max_pw_resets_count', 0);
+        $interval =$this->grav['config']->get('plugins.login.max_pw_resets_interval', 2);
+
+        if ($login->isUserRateLimited($user, 'pw_resets', $count, $interval)) {
+            $this->admin->setMessage($this->admin->translate(['PLUGIN_LOGIN.FORGOT_CANNOT_RESET_IT_IS_BLOCKED', $user->email, $interval]), 'error');
+            $this->setRedirect($post['redirect']);
+
+            return true;
+        }
+
        $token  = md5(uniqid(mt_rand(), true));
        $expire = time() + 604800; // next week