Add rate limiting on lost password emails

Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>

Author: come-nc

core/Controller/LostController.php

@@ -53,7 +53,6 @@
 use OCP\IUser;
 use OCP\IUserManager;
 use OCP\Mail\IMailer;
-use OCP\Security\VerificationToken\InvalidTokenException;
 use OCP\Security\VerificationToken\IVerificationToken;
 use function array_filter;
 use function count;
@@ -294,6 +293,12 @@ protected function sendEmail($input) {
 			throw new ResetPasswordException('Could not send reset e-mail since there is no email for username ' . $input);
 		}
 
+		try {
+			$this->limiter->registerUserRequest('lostpasswordemail', 5, 1800, $user);
+		} catch (RateLimitExceededException $e) {
+			throw new ResetPasswordException('Could not send reset e-mail, 5 of them were already sent in the last 30 minutes', 0, $e);
+		}
+
 		// Generate the token. It is stored encrypted in the database with the
 		// secret being the users' email address appended with the system secret.
 		// This makes the token automatically invalidate once the user changes

lib/private/Security/RateLimiting/Limiter.php

@@ -45,7 +45,7 @@ public function __construct(IBackend $backend) {
 	/**
 	 * @param string $methodIdentifier
 	 * @param string $userIdentifier
-	 * @param int $period
+	 * @param int $period in seconds
 	 * @param int $limit
 	 * @throws RateLimitExceededException
 	 */
@@ -66,7 +66,7 @@ private function register(string $methodIdentifier,
 	 *
 	 * @param string $identifier
 	 * @param int $anonLimit
-	 * @param int $anonPeriod
+	 * @param int $anonPeriod in seconds
 	 * @param string $ip
 	 * @throws RateLimitExceededException
 	 */
@@ -85,7 +85,7 @@ public function registerAnonRequest(string $identifier,
 	 *
 	 * @param string $identifier
 	 * @param int $userLimit
-	 * @param int $userPeriod
+	 * @param int $userPeriod in seconds
 	 * @param IUser $user
 	 * @throws RateLimitExceededException
 	 */