From d729d54de048b31711e5184051bd09e4bdbe0862 Mon Sep 17 00:00:00 2001 From: Bradley Schofield Date: Tue, 27 Jul 2021 12:07:39 +0100 Subject: [PATCH 1/3] Fix Create JWT abuse key --- app/controllers/api/account.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index 37ab46166d..06e42d662a 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -782,7 +782,7 @@ App::post('/v1/account/jwt') ->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.model', Response::MODEL_JWT) ->label('abuse-limit', 10) - ->label('abuse-key', 'url:{url},userId:{param-userId}') + ->label('abuse-key', 'url:{url},userId:{userId}') ->inject('response') ->inject('user') ->action(function ($response, $user) { From e0761e17376cce78cc0eca913c86a67a2dfe5536 Mon Sep 17 00:00:00 2001 From: Bradley Schofield Date: Tue, 27 Jul 2021 12:15:59 +0100 Subject: [PATCH 2/3] Fix create email verification abuse-key --- app/controllers/api/account.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index 06e42d662a..dea69037d6 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -1668,7 +1668,7 @@ App::post('/v1/account/verification') ->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.model', Response::MODEL_TOKEN) ->label('abuse-limit', 10) - ->label('abuse-key', 'url:{url},email:{param-email}') + ->label('abuse-key', 'url:{url},email:{userId}') ->param('url', '', function ($clients) { return new Host($clients); }, 'URL to redirect the user back to your app from the verification email. Only URLs from hostnames in your project platform list are allowed. This requirement helps to prevent an [open redirect](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html) attack against your project API.', false, ['clients']) // TODO add built-in confirm page ->inject('request') ->inject('response') From 7974a6ba5e3e1643c7ebd2ec5033129c611a52e9 Mon Sep 17 00:00:00 2001 From: Bradley Schofield Date: Tue, 27 Jul 2021 12:21:26 +0100 Subject: [PATCH 3/3] Update account.php --- app/controllers/api/account.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index dea69037d6..7bb4cbb28a 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -1668,7 +1668,7 @@ App::post('/v1/account/verification') ->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.model', Response::MODEL_TOKEN) ->label('abuse-limit', 10) - ->label('abuse-key', 'url:{url},email:{userId}') + ->label('abuse-key', 'url:{url},userId:{userId}') ->param('url', '', function ($clients) { return new Host($clients); }, 'URL to redirect the user back to your app from the verification email. Only URLs from hostnames in your project platform list are allowed. This requirement helps to prevent an [open redirect](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html) attack against your project API.', false, ['clients']) // TODO add built-in confirm page ->inject('request') ->inject('response')