HomePhorge
Diffusion Phorge e090b32c7528

Add a rate limit to requesting account recovery links from a given remoteā€¦
e090b32c7528
Actions

Description

Add a rate limit to requesting account recovery links from a given remote address

Summary:
Depends on D20666. Ref T13343. In D20666, I limited the rate at which a given user account can be sent account recovery links.

Here, add a companion limit to the rate at which a given remote address may request recovery of any account. This limit is a little more forgiving since reasonable users may plausibly try multiple variations of several email addresses, make typos, etc. The goal is just to hinder attackers from fishing for every address under the sun on installs with no CAPTCHA configured and no broad-spectrum VPN-style access controls.

Test Plan: {F6607846}

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13343

Differential Revision: https://secure.phabricator.com/D20667

Details

Provenance
epriestleyAuthored on Jul 19 2019, 9:56 AM
themackabuPushed on Mar 25 2025, 8:07 PM
Parents
rP80294e7a4ad1: Add a rate limit to generating new account recovery links for a given account
Branches
Unknown
Tags
Unknown

Event Timeline

Changes (4)

PathSize
src/
applications/
auth/
action/
PhabricatorAuthTryEmailLoginAction.php
PhabricatorAuthChangePasswordAction.php
controller/
system/
engine/

rPe090b32c7528

View Options

src/__phutil_library_map__.php

Loading...
View Options

src/applications/auth/action/PhabricatorAuthTryEmailLoginAction.php

Loading...
View Options

src/applications/auth/controller/PhabricatorEmailLoginController.php

Loading...
View Options

src/applications/system/engine/PhabricatorSystemActionEngine.php

Loading...