Rate limit password forgot

This commit is contained in:
nicolas.dorier 2021-03-26 18:01:45 +09:00
parent b4e15cb27f
commit 85ba9e96a0
No known key found for this signature in database
GPG key ID: 6618763EF09186FE
3 changed files with 9 additions and 0 deletions

View file

@ -1,5 +1,6 @@
using System;
using System.Globalization;
using System.Security.Policy;
using System.Threading.Tasks;
using BTCPayServer.Abstractions.Constants;
using BTCPayServer.Abstractions.Extensions;
@ -34,6 +35,7 @@ namespace BTCPayServer.Controllers
readonly Configuration.BTCPayServerOptions _Options;
private readonly BTCPayServerEnvironment _btcPayServerEnvironment;
public U2FService _u2FService;
private readonly RateLimitService _rateLimitService;
private readonly EventAggregator _eventAggregator;
readonly ILogger _logger;
@ -45,6 +47,7 @@ namespace BTCPayServer.Controllers
Configuration.BTCPayServerOptions options,
BTCPayServerEnvironment btcPayServerEnvironment,
U2FService u2FService,
RateLimitService rateLimitService,
EventAggregator eventAggregator)
{
_userManager = userManager;
@ -54,6 +57,7 @@ namespace BTCPayServer.Controllers
_Options = options;
_btcPayServerEnvironment = btcPayServerEnvironment;
_u2FService = u2FService;
_rateLimitService = rateLimitService;
_eventAggregator = eventAggregator;
_logger = Logs.PayServer;
}
@ -553,6 +557,8 @@ namespace BTCPayServer.Controllers
// Don't reveal that the user does not exist or is not confirmed
return RedirectToAction(nameof(ForgotPasswordConfirmation));
}
if (!await _rateLimitService.Throttle(ZoneLimits.ForgotPassword, user.NormalizedEmail))
return new TooManyRequestsResult(ZoneLimits.ForgotPassword);
_eventAggregator.Publish(new UserPasswordResetRequestedEvent()
{
User = user, RequestUri = Request.GetAbsoluteRootUri()

View file

@ -411,6 +411,7 @@ namespace BTCPayServer.Hosting
rateLimits.SetZone($"zone={ZoneLimits.Register} rate=1000r/min burst=100 nodelay");
rateLimits.SetZone($"zone={ZoneLimits.PayJoin} rate=1000r/min burst=100 nodelay");
rateLimits.SetZone($"zone={ZoneLimits.Shopify} rate=1000r/min burst=100 nodelay");
rateLimits.SetZone($"zone={ZoneLimits.ForgotPassword} rate=1r/d burst=3 nodelay");
}
else
{
@ -418,6 +419,7 @@ namespace BTCPayServer.Hosting
rateLimits.SetZone($"zone={ZoneLimits.Register} rate=2r/min burst=2 nodelay");
rateLimits.SetZone($"zone={ZoneLimits.PayJoin} rate=5r/min burst=3 nodelay");
rateLimits.SetZone($"zone={ZoneLimits.Shopify} rate=20r/min burst=3 nodelay");
rateLimits.SetZone($"zone={ZoneLimits.ForgotPassword} rate=1r/d burst=3 nodelay");
}
return rateLimits;
});

View file

@ -6,5 +6,6 @@ namespace BTCPayServer
public const string Register = "btcpayregister";
public const string PayJoin = "PayJoin";
public const string Shopify = nameof(Shopify);
public static string ForgotPassword = "forgotpassword";
}
}