Refactor password reset rate limiting methods

nielsdrost7 · web-flow · commit 8397642b561f · 2025-11-09T13:44:48.000+01:00
diff --git a/application/modules/sessions/controllers/Sessions.php b/application/modules/sessions/controllers/Sessions.php
@@ -197,13 +197,13 @@ public function passwordreset($token = null)
             }
 
             // Security: Check IP-based rate limiting first (prevents email enumeration)
-            if ($this->_is_ip_rate_limited_password_reset(env('PASSWORD_RESET_IP_MAX_ATTEMPTS', 5), env('PASSWORD_RESET_IP_WINDOW_MINUTES', 60))) {
+            if ($this->_is_ip_rate_limited_password_reset() {
                 log_message('warning', trans('log_password_reset_ip_rate_limit') . ' from: ' . $this->input->ip_address());
                 redirect('sessions/login');
             }
 
             // Security: Prevent brute force attacks by counting password reset attempts per email
-            if ($this->_is_email_rate_limited_password_reset($email, env('PASSWORD_RESET_EMAIL_MAX_ATTEMPTS', 3), env('PASSWORD_RESET_EMAIL_WINDOW_HOURS', 1))) {
+            if ($this->_is_email_rate_limited_password_reset($email) {
                 log_message('warning', trans('log_password_reset_email_rate_limit') . ' for: ' . $email . ' from IP: ' . $this->input->ip_address());
                 redirect('sessions/login');
             }
@@ -328,8 +328,11 @@ private function _login_log_check($username)
      *
      * @return bool True if rate limited, false otherwise
      */
-    private function _is_ip_rate_limited_password_reset($max_attempts, $window_minutes)
+    private function _is_ip_rate_limited_password_reset()
     {
+        $attempts = env('PASSWORD_RESET_EMAIL_MAX_ATTEMPTS', 3),
+        $window_minutes = env('PASSWORD_RESET_EMAIL_WINDOW_HOURS', 1))
+        
         $ip_address = $this->input->ip_address();
         $session_key = 'password_reset_attempts_' . md5($ip_address);
         
@@ -386,8 +389,11 @@ private function _record_password_reset_attempt()
      *
      * @return bool True if rate limited, false otherwise
      */
-    private function _is_email_rate_limited_password_reset($email, $max_attempts, $window_hours)
+    private function _is_email_rate_limited_password_reset($email)
     {
+        $attempts = env('PASSWORD_RESET_EMAIL_MAX_ATTEMPTS', 3),
+        $window_minutes = env('PASSWORD_RESET_EMAIL_WINDOW_HOURS', 1))
+    
         $session_key = 'password_reset_email_' . md5($email);
         
         // Get current attempts from session

Original file line number	Diff line number	Diff line change
`@@ -197,13 +197,13 @@ public function passwordreset($token = null)`
`197`	`197`	`}`
`198`	`198`
`199`	`199`	`// Security: Check IP-based rate limiting first (prevents email enumeration)`
`200`		`- if ($this->_is_ip_rate_limited_password_reset(env('PASSWORD_RESET_IP_MAX_ATTEMPTS', 5), env('PASSWORD_RESET_IP_WINDOW_MINUTES', 60))) {`
	`200`	`+ if ($this->_is_ip_rate_limited_password_reset() {`
`201`	`201`	`log_message('warning', trans('log_password_reset_ip_rate_limit') . ' from: ' . $this->input->ip_address());`
`202`	`202`	`redirect('sessions/login');`
`203`	`203`	`}`
`204`	`204`
`205`	`205`	`// Security: Prevent brute force attacks by counting password reset attempts per email`
`206`		`- if ($this->_is_email_rate_limited_password_reset($email, env('PASSWORD_RESET_EMAIL_MAX_ATTEMPTS', 3), env('PASSWORD_RESET_EMAIL_WINDOW_HOURS', 1))) {`
	`206`	`+ if ($this->_is_email_rate_limited_password_reset($email) {`
`207`	`207`	`log_message('warning', trans('log_password_reset_email_rate_limit') . ' for: ' . $email . ' from IP: ' . $this->input->ip_address());`
`208`	`208`	`redirect('sessions/login');`
`209`	`209`	`}`
`@@ -328,8 +328,11 @@ private function _login_log_check($username)`
`328`	`328`	`*`
`329`	`329`	`* @return bool True if rate limited, false otherwise`
`330`	`330`	`*/`
`331`		`- private function _is_ip_rate_limited_password_reset($max_attempts, $window_minutes)`
	`331`	`+ private function _is_ip_rate_limited_password_reset()`
`332`	`332`	`{`
	`333`	`+ $attempts = env('PASSWORD_RESET_EMAIL_MAX_ATTEMPTS', 3),`
	`334`	`+ $window_minutes = env('PASSWORD_RESET_EMAIL_WINDOW_HOURS', 1))`
	`335`	`+`
`333`	`336`	`$ip_address = $this->input->ip_address();`
`334`	`337`	`$session_key = 'password_reset_attempts_' . md5($ip_address);`
`335`	`338`
`@@ -386,8 +389,11 @@ private function _record_password_reset_attempt()`
`386`	`389`	`*`
`387`	`390`	`* @return bool True if rate limited, false otherwise`
`388`	`391`	`*/`
`389`		`- private function _is_email_rate_limited_password_reset($email, $max_attempts, $window_hours)`
	`392`	`+ private function _is_email_rate_limited_password_reset($email)`
`390`	`393`	`{`
	`394`	`+ $attempts = env('PASSWORD_RESET_EMAIL_MAX_ATTEMPTS', 3),`
	`395`	`+ $window_minutes = env('PASSWORD_RESET_EMAIL_WINDOW_HOURS', 1))`
	`396`	`+`
`391`	`397`	`$session_key = 'password_reset_email_' . md5($email);`
`392`	`398`
`393`	`399`	`// Get current attempts from session`