FEATURE: rate limit by login on password reset

2025-01-19 04:42:55 +08:00 · 2016-12-19 11:03:07 +11:00 · 2016-12-19 11:03:07 +11:00 · dd383300b1
commit dd383300b1
parent 0599bd0154
1 changed files with 3 additions and 0 deletions
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@ -218,6 +218,9 @@ class SessionController < ApplicationController
    RateLimiter.new(nil, "forgot-password-hr-#{request.remote_ip}", 6, 1.hour).performed!
    RateLimiter.new(nil, "forgot-password-min-#{request.remote_ip}", 3, 1.minute).performed!

+    RateLimiter.new(nil, "forgot-password-login-hour-#{params[:login].to_s[0..100]}", 12, 1.hour).performed!
+    RateLimiter.new(nil, "forgot-password-login-min-#{params[:login].to_s[0..100]}", 3, 1.minute).performed!
+
    user = User.find_by_username_or_email(params[:login])
    user_presence = user.present? && user.id != Discourse::SYSTEM_USER_ID && !user.staged
    if user_presence