Adding security

src/Confide/CacheLoginThrottleService.php

@@ -98,14 +98,14 @@ protected function parseIdentity($identity)
     protected function countThrottle($identityString, $increments = 1)
     {
         $count = $this->app['cache']
-            ->get('login_throttling:'.md5($identityString), 0);
+            ->get('login_throttling:'.md5($identityString.$this->app['request']->server('REMOTE_ADDR')), 0);
 
         $count = $count + $increments;
 
         $ttl = $this->app['config']->get('confide::throttle_time_period');
 
         $this->app['cache']
-            ->put('login_throttling:'.md5($identityString), $count, $ttl);
+            ->put('login_throttling:'.md5($identityString.$this->app['request']->server('REMOTE_ADDR')), $count, $ttl);
 
         return $count;
     }

src/Confide/Confide.php

@@ -235,13 +235,16 @@ public function isThrottled($identity)
      */
     public function forgotPassword($email)
     {
-        $user = $this->repo->getUserByEmail($email);
+      if($this->passService->isThrottled()) return 'trottling';
 
-        if ($user) {
-            return $this->passService->requestChangePassword($user);
-        }
+      $user = $this->repo->getUserByEmail($email);
 
-        return false;
+      if ($user) {
+          return $this->passService->requestChangePassword($user);
+      }
+      $this->passService->countThrottle();
+
+      return false;
     }
 
     /**
@@ -264,16 +267,16 @@ public function destroyForgotPasswordToken($token)
      *
      * @return ConfideUser
      */
-    public function userByResetPasswordToken($token)
-    {
+     public function userByResetPasswordToken($token)
+     {
         $email = $this->passService->getEmailByToken($token);
 
         if ($email) {
-            return $this->repo->getUserByEmail($email);
+          return $this->repo->getUserByEmail($email);
         }
 
         return false;
-    }
+     }
 
     /**
      * Log the user out of the application.

src/Confide/EloquentPasswordService.php

@@ -39,6 +39,14 @@ public function __construct($app = null)
     public function requestChangePassword(RemindableInterface $user)
     {
         $email = $user->getReminderEmail();
+
+        $record = $this->getRecordByEmail($email);
+
+        if($record)
+        {
+          return $record;
+        }
+
         $token = $this->generateToken();
 
         $values = array(
@@ -59,6 +67,36 @@ public function requestChangePassword(RemindableInterface $user)
         return $token;
     }
 
+    /**
+     * Returns the record for email given
+     *
+     * @param string $token
+     *
+     * @return string Email.
+     */
+    public function getRecordByEmail($email)
+    {
+        $connection = $this->getConnection();
+        $table = $this->getTable();
+
+        $record = $this->app['db']
+            ->connection($connection)
+            ->table($table)
+            ->where('email', '=', $email)
+            ->first();
+        // Check if record date is no longer valid
+        if($record && $record->created_at < $this->getOldestValidDate())
+        {
+          // Delete the record
+          $this->destroyToken($record->token);
+          return null;
+        }
+
+
+        return $record;
+    }
+
+
     /**
      * Returns the email associated with the given reset
      * password token.
@@ -72,17 +110,24 @@ public function getEmailByToken($token)
         $connection = $this->getConnection();
         $table = $this->getTable();
 
-        $email = $this->app['db']
+        $record = $this->app['db']
             ->connection($connection)
             ->table($table)
-            ->select('email')
             ->where('token', '=', $token)
-            ->where('created_at', '>=', $this->getOldestValidDate())
             ->first();
 
-        $email = $this->unwrapEmail($email);
-
-        return $email;
+        if($record)
+        {
+          // Check if record date is valid
+          if($record->created_at >= $this->getOldestValidDate())
+          {
+            $email = $this->unwrapEmail($record);
+            return $email;
+          }
+          // Delete the record if token is no longer valid
+          $this->destroyToken($record->token);
+        }
+        return null;
     }
 
     /**
@@ -199,4 +244,45 @@ protected function getOldestValidDate()
             ->subHours($config->get('confide::confide.password_reset_expiration', 7))
             ->toDateTimeString();
     }
+
+    /**
+     * Tells if the remote IP has reached the throttle_limit.
+     *
+     *
+     * @return bool True if the remote IP has reached the throttle_limit.
+     */
+    public function isThrottled()
+    {
+
+        // Retuns the current count
+        $count = $this->countThrottle(0);
+
+        return $count >= $this->app['config']->get('confide::reset_password_throttle_limit', 4);
+    }
+
+    /**
+     * Increments the count for the remote IP by given $increments
+     * stores it into cache and returns the current value for remote IP
+     * address.
+     *
+     * @param int    $increments     Amount that is going to be added to the throttling attemps for the remote IP.
+     *
+     * @return int How many times that same remote IP was used.
+     */
+    public function countThrottle($increments = 1)
+    {
+        $ip_remote = $this->app['request']->server('REMOTE_ADDR');
+
+        $count = $this->app['cache']
+            ->get('reset_password_throttling:'.md5($ip_remote), 0);
+
+        $count = $count + $increments;
+
+        $ttl = $this->app['config']->get('confide::reset_password_throttle_time_period',15);
+
+        $this->app['cache']
+            ->put('reset_password_throttling:'.md5($ip_remote), $count, $ttl);
+
+        return $count;
+    }
 }

src/config/config.php

@@ -83,6 +83,18 @@
     */
     'password_reset_expiration' => 7, // hours
 
+    /*
+    |--------------------------------------------------------------------------
+    | Password reset Throttle
+    |--------------------------------------------------------------------------
+    |
+    | Defines how many wrong email failed tries from one IP may be done within
+    | the 'reset_password_throttle_time_period', which is in minutes.
+    |
+    */
+    'reset_password_throttle_limit' => 4,
+    'reset_password_throttle_time_period' => 15,
+
     /*
     |--------------------------------------------------------------------------
     | Signup E-mail and confirmation (true or false)