@sgiehl
opened this Pull Request on August 4th 2022
@sgiehl
Description:
In theory is would currently be possible to brute force the reset password token after a password reset was triggered.
Due to the length of the reset token it would take ages to guess the token correctly.
Performing the brute force detection upon a failed try won't hurt, but block the users after several tries and thus makes the process a bit more secure.
Note: I've avoided to also pass the provided login to the failed attempt, so only the IP address will be locked out.
Review
- [ ] Functional review done
- [ ] Potential edge cases thought about (behavior of the code with strange input, with strange internal state or possible interactions with other Matomo subsystems)
- [ ] Usability review done (is anything maybe unclear or think about anything that would cause people to reach out to support)
- [ ] Security review done
- [ ] Wording review done
- [ ] Code review done
- [ ] Tests were added if useful/possible
- [ ] Reviewed for breaking changes
- [ ] Developer changelog updated if needed
- [ ] Documentation added if needed
- [ ] Existing documentation updated if needed
This Pull Request was closed on August 5th 2022