Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-11-01 11:35:55 +01:00
Code Issues Packages Projects Releases Wiki Activity

removed error output from user reset for rate limiting or incorrect email, so users cannot validate emails via this endpoint

Browse Source
This commit is contained in:
Julian Lam
2018-04-04 13:09:53 -04:00
parent 9c4d17dbf1
commit f769e734ed
2 changed files with 13 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/socket.io/user.js
View File

@@ -88,15 +88,20 @@ SocketUser.reset.send = function (socket, email, callback) {
}
user.reset.send(email, function (err) {
if (err && err.message !== '[[error:invalid-email]]') {
return callback(err);
if (err) {
switch (err.message) {
case '[[error:invalid-email]]':
winston.warn('[user/reset] Invalid email attempt: ' + email + ' by IP ' + socket.ip + (socket.uid ? ' (uid: ' + socket.uid + ')' : ''));
err = null;
break;
case '[[error:reset-rate-limited]]':
err = null;
break;
}
if (err && err.message === '[[error:invalid-email]]') {
winston.verbose('[user/reset] Invalid email attempt: ' + email);
return setTimeout(callback, 2500);
}
callback();
setTimeout(callback.bind(err), 2500);
});
};

2
src/user/reset.js
View File

@@ -51,7 +51,7 @@ function canGenerate(uid, callback) {
},
function (score, next) {
if (score > Date.now() - (1000 * 60)) {
return next(new Error('[[error:cant-reset-password-more-than-once-a-minute]]'));
return next(new Error('[[error:reset-rate-limited]]'));
}
next();
},