Differential D20666

Add a rate limit to generating new account recovery links for a given account
ClosedPublic
Actions

Authored by epriestley on Jul 19 2019, 4:42 PM.

Tags

None

Referenced Files

	F15470017: D20666.id49293.diff
	Fri, Apr 4, 7:00 PM

	F15462470: D20666.diff
	Tue, Apr 1, 3:16 PM

	F15461242: D20666.id49293.diff
	Tue, Apr 1, 6:34 AM

	F15459968: D20666.id49306.diff
	Mon, Mar 31, 6:42 PM

	F15455282: D20666.id49293.diff
	Sat, Mar 29, 11:17 PM

	F15451714: D20666.id.diff
	Fri, Mar 28, 11:29 PM

	F15446230: D20666.diff
	Thu, Mar 27, 5:52 PM

	F15445294: D20666.diff
	Thu, Mar 27, 1:19 PM

Subscribers

None

Details

Reviewers

Maniphest Tasks

T13343: Make "Send a login link to your email address" email include why it was sent to avoid confusion

Commits

rP80294e7a4ad1: Add a rate limit to generating new account recovery links for a given account

Summary

Depends on D20665. Ref T13343. We support CAPTCHAs on the "Forgot password?" flow, but not everyone configures them (or necessarily should, since ReCAPTCHA is a huge external dependency run by Google that requires you allow Google to execute JS on your domain) and the rate at which any reasonable user needs to take this action is very low.

Put a limit on the rate at which account recovery links may be generated for a particular account, so the worst case is a trickle of annoyance rather than a flood of nonsense.

Test Plan

Screen Shot 2019-07-19 at 9.39.15 AM.png (729×1 px, 139 KB)

Diff Detail

Repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

epriestley created this revision.Jul 19 2019, 4:42 PM

Harbormaster completed remote builds in B23160: Diff 49293.Jul 19 2019, 4:44 PM

epriestley requested review of this revision.Jul 19 2019, 4:44 PM

epriestley added a child revision: D20667: Add a rate limit to requesting account recovery links from a given remote address.Jul 19 2019, 5:02 PM

amckinley accepted this revision.Jul 19 2019, 9:41 PM

This revision is now accepted and ready to land.Jul 19 2019, 9:41 PM

Closed by commit rP80294e7a4ad1: Add a rate limit to generating new account recovery links for a given account (authored by epriestley). · Explain WhyJul 19 2019, 10:42 PM

This revision was automatically updated to reflect the committed changes.

epriestley added a commit: rP80294e7a4ad1: Add a rate limit to generating new account recovery links for a given account.

Revision Contents
Changeset List

Path

Size

src/

__phutil_library_map__.php

applications/

auth/

action/

PhabricatorAuthEmailLoginAction.php

21 lines

people/

mail/

PhabricatorPeopleEmailLoginMailEngine.php

6 lines

Diff 49306

src/__phutil_library_map__.php

Loading...

src/applications/auth/action/PhabricatorAuthEmailLoginAction.php

Loading...

src/applications/people/mail/PhabricatorPeopleEmailLoginMailEngine.php

Loading...