internal password recovery cooldown interval

application/Espo/Core/Rebuild/Actions/AddSystemData.php

@@ -0,0 +1,52 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2023 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Rebuild\Actions;
+
+use Espo\Core\Rebuild\RebuildAction;
+use Espo\Entities\SystemData;
+use Espo\ORM\EntityManager;
+
+class AddSystemData implements RebuildAction
+{
+    public function __construct(
+        private EntityManager $entityManager
+    ) {}
+
+    public function process(): void
+    {
+        $entity = $this->entityManager->getEntityById(SystemData::ENTITY_TYPE, SystemData::ONLY_ID);
+
+        if ($entity) {
+            return;
+        }
+
+        $this->entityManager->createEntity(SystemData::ENTITY_TYPE, ['id' => SystemData::ONLY_ID]);
+    }
+}

application/Espo/Resources/defaults/systemConfig.php

@@ -108,6 +108,7 @@ return [
         'passwordRecoveryRequestLifetime',
         'passwordChangeRequestNewUserLifetime',
         'passwordChangeRequestExistingUserLifetime',
+        'passwordRecoveryInternalIntervalPeriod',
     ],
     'adminItems' => [
         'devMode',

application/Espo/Resources/i18n/en_US/Global.json

@@ -378,7 +378,8 @@
         "cannotRelateForbiddenLink": "No access to link '{link}'.",
         "error404": "The url you requested can't be handled.",
         "error403": "You don't have an access to this area.",
-        "emptyMassUpdate": "No fields available for Mass Update."
+        "emptyMassUpdate": "No fields available for Mass Update.",
+        "attemptIntervalFailure": "The operation is not allowed during a specific time interval. Wait for some time before the next attempt."
     },
     "boolFilters": {
         "onlyMy": "Only My",

application/Espo/Tools/UserSecurity/Password/RecoveryService.php

@@ -41,6 +41,7 @@ use Espo\Core\Mail\Exceptions\SendingError;
 use Espo\Core\Mail\SmtpParams;
 use Espo\Core\Utils\Util;
 use Espo\Entities\Email;
+use Espo\Entities\SystemData;
 use Espo\Entities\User;
 use Espo\Entities\PasswordChangeRequest;
 use Espo\Entities\Portal;
@@ -63,6 +64,7 @@ class RecoveryService
     private const REQUEST_LIFETIME = '3 hours';
     private const NEW_USER_REQUEST_LIFETIME = '2 days';
     private const EXISTING_USER_REQUEST_LIFETIME = '2 days';
+    private const INTERNAL_SMTP_INTERVAL_PERIOD = '1 hour';
 
     public function __construct(
         private EntityManager $entityManager,
@@ -233,7 +235,9 @@ class RecoveryService
             $this->send($request->getRequestId(), $emailAddress, $user);
         }
         catch (SendingError $e) {
-            $this->log->error("Email sending error: " . $e->getMessage());
+            $message = "Email sending error. " . $e->getMessage();
+
+            $this->log->error($message);
 
             throw new Error("Email sending error.");
         }
@@ -289,6 +293,7 @@ class RecoveryService
 
     /**
      * @throws Error
+     * @throws Forbidden
      */
     public function createAndSendRequestForExistingUser(User $user, ?string $url = null): PasswordChangeRequest
     {
@@ -314,7 +319,9 @@ class RecoveryService
             $this->send($entity->getRequestId(), $emailAddress, $user);
         }
         catch (SendingError $e) {
-            throw new Error("Email sending error. " . $e->getMessage());
+            $this->log->error("Email sending error. " . $e->getMessage());
+
+            throw new Error("Email sending error.");
         }
 
         return $entity;
@@ -369,6 +376,7 @@ class RecoveryService
     /**
      * @throws Error
      * @throws SendingError
+     * @throws Forbidden
      */
     private function send(string $requestId, string $emailAddress, User $user): void
     {
@@ -383,6 +391,10 @@ class RecoveryService
             throw new Error("Password recovery: SMTP credentials are not defined.");
         }
 
+        if (!$this->emailSender->hasSystemSmtp()) {
+            $this->checkIntervalForInternalSmtp();
+        }
+
         $sender = $this->emailSender->create();
 
         $subjectTpl = $this->templateFileManager->getTemplate('passwordChangeLink', 'subject', 'User');
@@ -440,7 +452,7 @@ class RecoveryService
             $port = $this->config->get('internalSmtpPort');
 
             if (!$server || $port === null) {
-                throw new NoSmtp();
+                throw new NoSmtp("No internal SMTP");
             }
 
             $smtpParams = SmtpParams
@@ -458,6 +470,8 @@ class RecoveryService
         }
 
         $sender->send($email);
+
+        $this->lastPasswordRecoveryDate();
     }
 
     /**
@@ -495,4 +509,55 @@ class RecoveryService
         /** @var PortalRepository */
         return $this->entityManager->getRDBRepository(Portal::ENTITY_TYPE);
     }
+
+    /**
+     * @throws Forbidden
+     */
+    private function checkIntervalForInternalSmtp(): void
+    {
+        /** @var string $period */
+        $period = $this->config->get('passwordRecoveryInternalIntervalPeriod') ??
+            self::INTERNAL_SMTP_INTERVAL_PERIOD;
+
+        $data = $this->entityManager->getEntityById(SystemData::ENTITY_TYPE, SystemData::ONLY_ID);
+
+        if (!$data) {
+            return;
+        }
+
+        /** @var ?string $lastPasswordRecoveryDate */
+        $lastPasswordRecoveryDate = $data->get('lastPasswordRecoveryDate');
+
+        if (!$lastPasswordRecoveryDate) {
+            return;
+        }
+
+        $notPassed = DateTime::fromString($lastPasswordRecoveryDate)
+            ->modify('+' . $period)
+            ->isGreaterThan(DateTime::createNow());
+
+        if (!$notPassed) {
+            return;
+        }
+
+        throw Forbidden::createWithBody(
+            'Internal password recovery attempt interval failure.',
+            Error\Body::create()
+                ->withMessageTranslation('attemptIntervalFailure')
+                ->encode()
+        );
+    }
+
+    private function lastPasswordRecoveryDate(): void
+    {
+        $data = $this->entityManager->getEntityById(SystemData::ENTITY_TYPE, SystemData::ONLY_ID);
+
+        if (!$data) {
+            return;
+        }
+
+        $data->set('lastPasswordRecoveryDate', DateTime::createNow()->getString());
+
+        $this->entityManager->saveEntity($data);
+    }
 }