diff --git a/app/Http/Controllers/Auth/ForgotPasswordController.php b/app/Http/Controllers/Auth/ForgotPasswordController.php index b816187321..24efd8f0cc 100644 --- a/app/Http/Controllers/Auth/ForgotPasswordController.php +++ b/app/Http/Controllers/Auth/ForgotPasswordController.php @@ -92,9 +92,12 @@ class ForgotPasswordController extends Controller // We will send the password reset link to this user. Once we have attempted // to send the link, we will examine the response then see the message we // need to show to the user. Finally, we'll send out a proper response. - $this->broker()->sendResetLink($request->only('email')); + $result = $this->broker()->sendResetLink($request->only('email')); + if('passwords.throttled' === $result) { + Log::error(sprintf('Cowardly refuse to send a password reset message to user #%d because the reset button has been throttled.', $user->id)); + } - // always send the same response: + // always send the same response to the user: $response = trans('firefly.forgot_password_response'); return back()->with('status', trans($response)); diff --git a/config/auth.php b/config/auth.php index f042c7fb1f..37187762b4 100644 --- a/config/auth.php +++ b/config/auth.php @@ -98,8 +98,8 @@ return [ 'providers' => [ 'users' => [ - 'driver' => 'eloquent', - 'model' => FireflyIII\User::class, + 'driver' => 'eloquent', + 'model' => FireflyIII\User::class, ], 'remote_user_provider' => [ 'driver' => 'remote_user_provider', @@ -111,7 +111,7 @@ return [ //'model' => LdapRecord\Models\ActiveDirectory\User::class, 'model' => LdapRecord\Models\OpenLDAP\User::class, 'rules' => [ - UserDefinedRule::class + UserDefinedRule::class, ], 'database' => [ 'model' => FireflyIII\User::class, @@ -141,6 +141,7 @@ return [ 'provider' => 'users', 'table' => 'password_resets', 'expire' => 60, + 'throttle' => 300, // Allows a user to request 1 token per 300 seconds ], ], /*