ResetPassword: add time-out to password resets; prevent repeated mails

2024-11-05 17:19:59 +01:00
parent eb7a40a70d
commit adfb5a2198
4 changed files with 72 additions and 1 deletions
--- a/controllers/ResetPassword.php
+++ b/controllers/ResetPassword.php
@@ -37,6 +37,24 @@ class ResetPassword extends HTMLController
 				return;
 			}

+			if (Authentication::getResetTimeOut($user->getUserId()) > 0)
+			{
+				// Update the reset time-out to prevent hammering
+				$resetTimeOut = Authentication::updateResetTimeOut($user->getUserId());
+
+				// Present it to the user in a readable way
+				if ($resetTimeOut > 3600)
+					$timeOut = sprintf('%d hours', ceil($resetTimeOut / 3600));
+				elseif ($resetTimeOut > 60)
+					$timeOut = sprintf('%d minutes', ceil($resetTimeOut / 60));
+				else
+					$timeOut = sprintf('%d seconds', $resetTimeOut);
+
+				$form->adopt(new Alert('Password reset token already sent', 'We already sent a password reset token to this email address recently. ' .
+					'If no email was received, please wait ' . $timeOut . ' to try again.', 'error'));
+				return;
+			}
+
 			Authentication::setResetKey($user->getUserId());
 			Email::resetMail($user->getUserId());

@@ -76,6 +94,10 @@ class ResetPassword extends HTMLController
 			if (empty($missing))
 			{
 				Authentication::updatePassword($user->getUserId(), Authentication::computeHash($_POST['password1']));
+
+				// Consume token, ensuring it isn't used again
+				Authentication::consumeResetKey($user->getUserId());
+
 				$_SESSION['login_msg'] = ['Your password has been reset', 'You can now use the form below to log in to your account.', 'success'];
 				header('Location: ' . BASEURL . '/login/');
 				exit;