FIX: rate limit password reset email

2025-05-21 18:12:32 +08:00 · 2014-08-18 10:55:30 +10:00
parent 582ec5954f
commit e0a82d3088
5 changed files with 38 additions and 14 deletions
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@ -1,3 +1,5 @@
+require_dependency 'rate_limiter'
+
 class SessionController < ApplicationController

  skip_before_filter :redirect_to_login_if_required
@ -93,6 +95,9 @@ class SessionController < ApplicationController
      return
    end

+    RateLimiter.new(nil, "forgot-password-hr-#{request.remote_ip}", 6, 1.hour).performed!
+    RateLimiter.new(nil, "forgot-password-min-#{request.remote_ip}", 3, 1.minute).performed!
+
    user = User.find_by_username_or_email(params[:login])
    if user.present?
      email_token = user.email_tokens.create(email: user.email)
@ -100,6 +105,9 @@ class SessionController < ApplicationController
    end
    # always render of so we don't leak information
    render json: {result: "ok"}
+
+  rescue RateLimiter::LimitExceeded
+    render_json_error(I18n.t("rate_limiter.slow_down"))
  end

  def current