SymfonyCasts/reset-password-bundle

TooManyPasswordRequestsException if one request already sent within validity period

php4fan opened this issue · 1 comments

php4fan commented

Steps to reproduce:

  • request a password reset email
  • request one again with the same email address

Expected:
Should work. It may be acceptable that you are unable to send a request again for the same email (or even for different emails from one given device, for that matter) within an unreasonably short time (e.g. one minute or a few seconds) to prevent abuse, but you MUST be able to resend it shortly after

Observed:
If the first password reset request has not expired, you get an error that says:

"You have already requested a reset password email. Please check your email or try again soon"

Note btw that it says "soon" which makes it even more irritating.

Why this is wrong
Here's a couple of obvious examples of why I may need to re-send the email almost immediately:

  1. I haven't received it (and I have checked the spam folder). You may argue that if I haven't received it, chances are I sent it to the wrong address; and if not, that I probably won't receive it the second time either. But "chances are" is not enough. Errors happen. Maybe the application lives on a shitty server, or the user uses a shitty email provider.
  2. I may have accidentally deleted it, which actually is a sub-case of case 1.

These are two completely different concepts:

  • how long a password request lasts until it expires and is no longer valid
  • how long until you are allowed to re-send a password reset request email for the same email.

A reasonable value for the first is usually much much longer than the second.
For the expiration period, the longer the better for convenience purposes; you don't want it to be unreasonably long for security reasons. The default is 1 hour which is pretty reasonable. Even a few days would probably be.

For the second, it is critical that it is as short as possible, because you don't want to keep a user unable to recover access to their account for any longer than a few seconds.
The only reason it has to have a lower limit is to prevent abuse. And for that purpose, it actually doesn't matter whether I'm sending the request to the same email or not (but then I guess a proper rate limiting is beyond the scope of the password reset bundle and should probably be managed at some other level).

So basically, it makes no sense to prevent sending the request if one has already been sent and has not expired. What could make sense is to warn the user in this case and ask for confirmation.

jrushlow commented

Howdy @php4fan, have you checked https://github.com/SymfonyCasts/reset-password-bundle#configuration specifically the throttle_limit configuration option? Changing the lifetime & throttle_limit accordingly should give you all the flexibility you'll need when implementing a reset strategy for your application.