Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SMS API] "Rate Limit" and "max_attempts" is not working once captcha is submitted. #763

Closed
abhisheksahnii opened this issue Mar 15, 2023 · 5 comments · Fixed by #978
Closed

[SMS API] "Rate Limit" and "max_attempts" is not working once captcha is submitted. #763

abhisheksahnii opened this issue Mar 15, 2023 · 5 comments · Fixed by #978
Assignees
@davidcoutadeur
Labels
bug
Milestone
1.7.0

Comments

@abhisheksahnii
Copy link

I am using SMS service to reset the passwords using SMS API and able to receive the reset tokens successfully.

ISSUE:
I tried to limit the number of tries a user can use the SMS option to reset their password following above-mentioned links, the User is still able to get an unlimited number of tokens by just refreshing the SMS Token submit page.

ltb_configuration.txt

Screenshot 2023-03-15 151501

This may be a bug
@coudot
Copy link
Member

coudot commented Mar 15, 2023

Maybe linked to #736

@coudot coudot added the bug label Mar 15, 2023
@coudot coudot added this to the 1.5.3 milestone Mar 15, 2023
@coudot coudot modified the milestones: 1.5.3, 1.6.0 May 12, 2023
@coudot coudot self-assigned this Mar 7, 2024
@coudot
Copy link
Member

coudot commented Mar 7, 2024

We will see that with @armfem

@coudot
Copy link
Member

coudot commented Apr 26, 2024

We indeed still reproduce the bug

A solution would be to create a form token in the first screen, in a hidden field, then invalidate this token before sending the SMS. In this case a refresh would not resend the SMS as the form token won't be accepted again.

We need to implement this and be sure it does not cause regression.

Targeting for a further release

@coudot coudot modified the milestones: 1.6.0, 1.7.0 Apr 26, 2024
@coudot coudot mentioned this issue Apr 26, 2024
Closed
@davidcoutadeur
Copy link

davidcoutadeur commented Jul 3, 2024
edited
Loading

When working on this issue, don't forget to pull the captcha refactoring work done in #894 (pushed on master)

@coudot coudot assigned davidcoutadeur and unassigned coudot Sep 6, 2024
davidcoutadeur pushed a commit that referenced this issue Sep 12, 2024
prevent sending sms twice + share cache functions in dedicated lib/ca…
f00b5da 
…che.php (#763)
@davidcoutadeur davidcoutadeur mentioned this issue Sep 12, 2024
Merged
davidcoutadeur pushed a commit that referenced this issue Sep 12, 2024
@davidcoutadeur
prevent sending sms twice + share cache functions in dedicated lib/ca…
2ac27b0 
…che.php (#763)
@davidcoutadeur
Copy link

@abhisheksahnii It should be ok now with PR #978

For solving this, we now use a form token between two steps, for validating that one step is only done once.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@davidcoutadeur davidcoutadeur

Labels
bug
Projects
None yet
Milestone
1.7.0
3 participants
@coudot @davidcoutadeur @abhisheksahnii