Merge pull request #3862 from Laravel-Backpack/throttle-password-request

Throttle password request attempts

Author: tabacitu

src/BackpackServiceProvider.php

@@ -2,6 +2,7 @@
 
 namespace Backpack\CRUD;
 
+use Backpack\CRUD\app\Http\Middleware\ThrottlePasswordRecovery;
 use Backpack\CRUD\app\Library\CrudPanel\CrudPanel;
 use Illuminate\Routing\Router;
 use Illuminate\Support\Collection;
@@ -93,6 +94,12 @@ public function registerMiddlewareGroup(Router $router)
         foreach ($middleware_class as $middleware_class) {
             $router->pushMiddlewareToGroup($middleware_key, $middleware_class);
         }
+
+        // register internal backpack middleware for throttling the password recovery functionality
+        // but only if functionality is enabled by developer in config
+        if (config('backpack.base.setup_password_recovery_routes')) {
+            $router->aliasMiddleware('backpack.throttle.password.recovery', ThrottlePasswordRecovery::class);
+        }
     }
 
     public function publishFiles()
@@ -268,7 +275,8 @@ public function loadConfigs()
             'backpack' => [
                 'provider'  => 'backpack',
                 'table'     => 'password_resets',
-                'expire'    => 60,
+                'expire'   => 60,
+                'throttle' => config('backpack.base.password_recovery_throttle_notifications'),
             ],
         ];
 

src/app/Http/Middleware/ThrottlePasswordRecovery.php

@@ -0,0 +1,25 @@
+<?php
+
+namespace Backpack\CRUD\app\Http\Middleware;
+
+use Illuminate\Routing\Middleware\ThrottleRequests;
+use Illuminate\Validation\ValidationException;
+
+class ThrottlePasswordRecovery extends ThrottleRequests
+{
+    /**
+     * Return a validation exception with a nice message to the user instead of the big fat app error.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  string  $key
+     * @param  int  $maxAttempts
+     * @param  callable|null  $responseCallback
+     * @return \Illuminate\Validation\ValidationException
+     */
+    protected function buildException($request, $key, $maxAttempts, $responseCallback = null)
+    {
+        return ValidationException::withMessages([
+            'email' => [trans('backpack::base.throttled_request')],
+        ]);
+    }
+}

src/app/Library/Auth/PasswordBroker.php

@@ -12,6 +12,8 @@
  */
 class PasswordBroker extends OriginalPasswordBroker
 {
+    public const RESET_THROTTLED = 'backpack::base.throttled';
+
     /**
      * Send a password reset link to a user.
      *
@@ -29,7 +31,8 @@ public function sendResetLink(array $credentials, Closure $callback = null)
             return static::INVALID_USER;
         }
 
-        if ($this->tokens->recentlyCreatedToken($user)) {
+        if (method_exists($this->tokens, 'recentlyCreatedToken') &&
+            $this->tokens->recentlyCreatedToken($user)) {
             return static::RESET_THROTTLED;
         }
 

src/config/backpack/base.php

@@ -193,10 +193,6 @@
     // Warning: if you disable this, the password recovery routes (below) will be disabled too!
     'setup_auth_routes' => true,
 
-    // Set this to false if you would like to skip adding the password recovery routes
-    // (you then need to manually define the routes in your web.php)
-    'setup_password_recovery_routes' => true,
-
     // Set this to false if you would like to skip adding the dashboard routes
     // (you then need to overwrite the login route on your AuthController)
     'setup_dashboard_routes' => true,
@@ -205,6 +201,32 @@
     // (you then need to manually define the routes in your web.php)
     'setup_my_account_routes' => true,
 
+    // Set this to false if you would like to skip adding the password recovery routes
+    // (you then need to manually define the routes in your web.php)
+    'setup_password_recovery_routes' => true,
+
+    /*
+    |--------------------------------------------------------------------------
+    | Security
+    |--------------------------------------------------------------------------
+    */
+
+    // Backpack will prevent visitors from requesting password recovery too many times
+    // for a certain email, to make sure they cannot be spammed that way.
+    // How many seconds should a visitor wait, after they've requested a
+    // password reset, before they can try again for the same email?
+    'password_recovery_throttle_notifications' => 600, // time in seconds
+
+    // Backpack will prevent an IP from trying to reset the password too many times,
+    // so that a malicious actor cannot try too many emails, too see if they have
+    // accounts or to increase the AWS/SendGrid/etc bill.
+    //
+    // How many times in any given time period should the user be allowed to
+    // attempt a password reset? Take into account that user might wrongly
+    // type an email at first, so at least allow one more try.
+    // Defaults to 3,10 - 3 times in 10 minutes.
+    'password_recovery_throttle_access' => '3,10',
+
     /*
     |--------------------------------------------------------------------------
     | Authentication

src/resources/lang/en/base.php

@@ -66,5 +66,7 @@
     'confirm_email'        => 'Confirm Email',
     'choose_new_password'  => 'Choose New Password',
     'confirm_new_password' => 'Confirm new password',
+    'throttled'            => 'You have already requested a password reset recently. Please check your email. If you do not receive our email, please retry later.',
+    'throttled_request'    => 'You have exceeded the limit of tries. Please wait a few minutes and try again.',
 
 ];

src/resources/lang/pt/base.php

@@ -66,5 +66,6 @@
     'confirm_email'        => 'Confirmar Email',
     'choose_new_password'  => 'Escolher nova password',
     'confirm_new_password' => 'Confirmar nova password',
-
+    'throttled' => 'Efetuou um pedido de recuperação de password recentemente. Verifique o seu email. Caso não tenha recebido o email tente novamente dentro de alguns instantes.',
+    'throttled_request' => 'Excedeu o limite de tentativas. Aguarde alguns minutos e tente novamente.',
 ];

src/resources/lang/ro/base.php

@@ -57,4 +57,6 @@
         'button'   => 'Schimbă parola',
         'notice'   => 'Dacă nu ați facut dvs cererea, nu este nevoie să faceți nimic, parola nu va fi schimbată.',
     ],
+    'throttled'            => 'Ați cerut deja schimbarea parolei, de curând. Verificați email-ul primit pentru instrucțiuni. Dacă nu primiți email-ul, vă rugăm să încercați mai târziu.',
+    'throttled_request'    => 'Ați depășit limita de încercări. Așteptați câteva minute, apoi încercați din nou.',
 ];

src/routes/backpack/base.php

@@ -34,7 +34,7 @@ function () {
             Route::get('password/reset', 'Auth\ForgotPasswordController@showLinkRequestForm')->name('backpack.auth.password.reset');
             Route::post('password/reset', 'Auth\ResetPasswordController@reset');
             Route::get('password/reset/{token}', 'Auth\ResetPasswordController@showResetForm')->name('backpack.auth.password.reset.token');
-            Route::post('password/email', 'Auth\ForgotPasswordController@sendResetLinkEmail')->name('backpack.auth.password.email');
+            Route::post('password/email', 'Auth\ForgotPasswordController@sendResetLinkEmail')->name('backpack.auth.password.email')->middleware('backpack.throttle.password.recovery:'.config('backpack.base.password_recovery_throttle_access'));
         }
     }