From dd383300b1149a97d2027b314e847bbebf16720f Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Mon, 19 Dec 2016 11:03:07 +1100
Subject: [PATCH] FEATURE: rate limit by login on password reset

---
 app/controllers/session_controller.rb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb
index dbe443a2faa..7ac3749f46b 100644
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@@ -218,6 +218,9 @@ class SessionController < ApplicationController
     RateLimiter.new(nil, "forgot-password-hr-#{request.remote_ip}", 6, 1.hour).performed!
     RateLimiter.new(nil, "forgot-password-min-#{request.remote_ip}", 3, 1.minute).performed!
 
+    RateLimiter.new(nil, "forgot-password-login-hour-#{params[:login].to_s[0..100]}", 12, 1.hour).performed!
+    RateLimiter.new(nil, "forgot-password-login-min-#{params[:login].to_s[0..100]}", 3, 1.minute).performed!
+
     user = User.find_by_username_or_email(params[:login])
     user_presence = user.present? && user.id != Discourse::SYSTEM_USER_ID && !user.staged
     if user_presence