github/directus
1
1
Fork 0
mirror of https://github.com/directus/directus.git synced 2026-04-25 03:00:53 -04:00
Code Issues Packages Projects Releases Wiki Activity

Stall login/pw reset to prevent email leaking (#7105)

Browse Source
This commit is contained in:
Rijk van Zanten
2021-07-30 21:01:07 +02:00
committed by GitHub
parent a55d1bc4a7
commit 956c590f0c
3 changed files with 59 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
api/src/services/users.ts
View File

@@ -20,6 +20,7 @@ import { AuthenticationService } from './authentication';
import { ItemsService, MutationOptions } from './items';
import { MailService } from './mail';
import { SettingsService } from './settings';
import { stall } from '../utils/stall';
export class UsersService extends ItemsService {
knex: Knex;
@@ -345,8 +346,14 @@ export class UsersService extends ItemsService {
}
async requestPasswordReset(email: string, url: string | null, subject?: string | null): Promise<void> {
const STALL_TIME = 500;
const timeStart = performance.now();
const user = await this.knex.select('id').from('directus_users').where({ email }).first();
if (!user) throw new ForbiddenException();
if (!user) {
await stall(STALL_TIME, timeStart);
throw new ForbiddenException();
}
const mailService = new MailService({
schema: this.schema,
@@ -375,6 +382,8 @@ export class UsersService extends ItemsService {
},
},
});
await stall(STALL_TIME, timeStart);
}
async resetPassword(token: string, password: string): Promise<void> {