Differential D20667

Add a rate limit to requesting account recovery links from a given remote address
ClosedPublic
Actions

Authored by epriestley on Jul 19 2019, 5:02 PM.

Tags

None

Referenced Files

	F13082302: D20667.diff
	Wed, Apr 24, 10:05 PM

	Unknown Object (File)
	Sun, Apr 21, 4:12 PM

	Unknown Object (File)
	Fri, Apr 19, 9:05 PM

	Unknown Object (File)
	Fri, Apr 19, 3:18 AM

	Unknown Object (File)
	Fri, Apr 19, 3:18 AM

	Unknown Object (File)
	Fri, Apr 19, 3:17 AM

	Unknown Object (File)
	Wed, Apr 17, 3:15 PM

	Unknown Object (File)
	Thu, Apr 11, 7:24 AM

Subscribers

None

Details

Reviewers

Maniphest Tasks

T13343: Make "Send a login link to your email address" email include why it was sent to avoid confusion

Commits

rPe090b32c7528: Add a rate limit to requesting account recovery links from a given remote…

Summary

Depends on D20666. Ref T13343. In D20666, I limited the rate at which a given user account can be sent account recovery links.

Here, add a companion limit to the rate at which a given remote address may request recovery of any account. This limit is a little more forgiving since reasonable users may plausibly try multiple variations of several email addresses, make typos, etc. The goal is just to hinder attackers from fishing for every address under the sun on installs with no CAPTCHA configured and no broad-spectrum VPN-style access controls.

Test Plan

Screen Shot 2019-07-19 at 9.57.53 AM.png (894×1 px, 156 KB)

Diff Detail

Repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

epriestley created this revision.Jul 19 2019, 5:02 PM

Harbormaster completed remote builds in B23161: Diff 49294.Jul 19 2019, 5:04 PM

epriestley requested review of this revision.Jul 19 2019, 5:04 PM

epriestley added a child revision: D20668: Replace old rate limiting in password login flow with "SystemAction" rate limiting.Jul 19 2019, 5:21 PM

amckinley accepted this revision.Jul 19 2019, 9:42 PM

This revision is now accepted and ready to land.Jul 19 2019, 9:42 PM

Closed by commit rPe090b32c7528: Add a rate limit to requesting account recovery links from a given remote… (authored by epriestley). · Explain WhyJul 19 2019, 10:43 PM

This revision was automatically updated to reflect the committed changes.

epriestley added a commit: rPe090b32c7528: Add a rate limit to requesting account recovery links from a given remote….

Revision Contents
Changeset List

Path

Size

src/

__phutil_library_map__.php

applications/

auth/

action/

PhabricatorAuthTryEmailLoginAction.php

22 lines

controller/

PhabricatorEmailLoginController.php

8 lines

system/

engine/

PhabricatorSystemActionEngine.php

4 lines

Diff 49307

src/__phutil_library_map__.php

Loading...

src/applications/auth/action/PhabricatorAuthTryEmailLoginAction.php

Loading...

src/applications/auth/controller/PhabricatorEmailLoginController.php

Loading...

src/applications/system/engine/PhabricatorSystemActionEngine.php

Loading...