mastoapi password reset

added rate limit to password reset configure rate limit in runtime
2019-07-16 21:44:50 +00:00 · 2019-07-16 21:44:50 +00:00 · 10f82c88b8
commit 10f82c88b8
parent 33fbb638cd
8 changed files with 90 additions and 6 deletions
--- a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex
+++ b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex
@ -73,6 +73,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
  plug(RateLimiter, :statuses_actions when action in @rate_limited_status_actions)
  plug(RateLimiter, :app_account_creation when action == :account_register)
  plug(RateLimiter, :search when action in [:search, :search2, :account_search])
+  plug(RateLimiter, :password_reset when action == :password_reset)

  @local_mastodon_name "Mastodon-Local"

@ -1816,6 +1817,22 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
    end
  end

+  def password_reset(conn, params) do
+    nickname_or_email = params["email"] || params["nickname"]
+
+    with {:ok, _} <- TwitterAPI.password_reset(nickname_or_email) do
+      conn
+      |> put_status(:no_content)
+      |> json("")
+    else
+      {:error, "unknown user"} ->
+        put_status(conn, :not_found)
+
+      {:error, _} ->
+        put_status(conn, :bad_request)
+    end
+  end
+
  def try_render(conn, target, params)
      when is_binary(target) do
    case render(conn, target, params) do
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@ -691,6 +691,8 @@ defmodule Pleroma.Web.Router do
    get("/web/login", MastodonAPIController, :login)
    delete("/auth/sign_out", MastodonAPIController, :logout)

+    post("/auth/password", MastodonAPIController, :password_reset)
+
    scope [] do
      pipe_through(:oauth_read_or_public)
      get("/web/*path", MastodonAPIController, :index)
--- a/lib/pleroma/web/twitter_api/twitter_api_controller.ex
+++ b/lib/pleroma/web/twitter_api/twitter_api_controller.ex
@ -27,6 +27,7 @@ defmodule Pleroma.Web.TwitterAPI.Controller do

  require Logger

+  plug(Pleroma.Plugs.RateLimiter, :password_reset when action == :password_reset)
  plug(:only_if_public_instance when action in [:public_timeline, :public_and_external_timeline])
  action_fallback(:errors)

@ -437,6 +438,12 @@ defmodule Pleroma.Web.TwitterAPI.Controller do

    with {:ok, _} <- TwitterAPI.password_reset(nickname_or_email) do
      json_response(conn, :no_content, "")
+    else
+      {:error, "unknown user"} ->
+        put_status(conn, :not_found)
+
+      {:error, _} ->
+        put_status(conn, :bad_request)
    end
  end