aljaz/btcpayserver
1
0
Fork 0
mirror of https://github.com/aljazceru/btcpayserver.git synced 2025-12-17 22:14:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix ratelimiter for forgotpassword

Browse Source
This commit is contained in:
nicolas.dorier
2021-03-28 20:56:46 +09:00
parent 85ba9e96a0
commit b7b6cef880
3 changed files with 4 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
BTCPayServer/Controllers/AccountController.cs
View File

@@ -547,6 +547,7 @@ namespace BTCPayServer.Controllers
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
[RateLimitsFilter(ZoneLimits.ForgotPassword, Scope = RateLimitsScope.RemoteAddress)]
public async Task<IActionResult> ForgotPassword(ForgotPasswordViewModel model)
{
if (ModelState.IsValid)
@@ -557,8 +558,6 @@ namespace BTCPayServer.Controllers
// Don't reveal that the user does not exist or is not confirmed
return RedirectToAction(nameof(ForgotPasswordConfirmation));
}
if (!await _rateLimitService.Throttle(ZoneLimits.ForgotPassword, user.NormalizedEmail))
return new TooManyRequestsResult(ZoneLimits.ForgotPassword);
_eventAggregator.Publish(new UserPasswordResetRequestedEvent()
{
User = user, RequestUri = Request.GetAbsoluteRootUri()