Fix ratelimiter for forgotpassword

2025-01-19 05:33:31 +01:00 · 2021-03-28 20:56:46 +09:00 · 2021-03-28 20:56:46 +09:00 · b7b6cef880
commit b7b6cef880
parent 85ba9e96a0
3 changed files with 4 additions and 5 deletions
--- a/BTCPayServer/Controllers/AccountController.cs
+++ b/BTCPayServer/Controllers/AccountController.cs
@ -547,6 +547,7 @@ namespace BTCPayServer.Controllers
        [HttpPost]
        [AllowAnonymous]
        [ValidateAntiForgeryToken]
+        [RateLimitsFilter(ZoneLimits.ForgotPassword, Scope = RateLimitsScope.RemoteAddress)]
        public async Task<IActionResult> ForgotPassword(ForgotPasswordViewModel model)
        {
            if (ModelState.IsValid)
@ -557,8 +558,6 @@ namespace BTCPayServer.Controllers
                    // Don't reveal that the user does not exist or is not confirmed
                    return RedirectToAction(nameof(ForgotPasswordConfirmation));
                }
-                if (!await _rateLimitService.Throttle(ZoneLimits.ForgotPassword, user.NormalizedEmail))
-                    return new TooManyRequestsResult(ZoneLimits.ForgotPassword);
                _eventAggregator.Publish(new UserPasswordResetRequestedEvent()
                {
                    User = user, RequestUri = Request.GetAbsoluteRootUri()
--- a/BTCPayServer/Hosting/BTCPayServerServices.cs
+++ b/BTCPayServer/Hosting/BTCPayServerServices.cs
@ -411,7 +411,7 @@ namespace BTCPayServer.Hosting
                    rateLimits.SetZone($"zone={ZoneLimits.Register} rate=1000r/min burst=100 nodelay");
                    rateLimits.SetZone($"zone={ZoneLimits.PayJoin} rate=1000r/min burst=100 nodelay");
                    rateLimits.SetZone($"zone={ZoneLimits.Shopify} rate=1000r/min burst=100 nodelay");
-                    rateLimits.SetZone($"zone={ZoneLimits.ForgotPassword} rate=1r/d burst=3 nodelay");
+                    rateLimits.SetZone($"zone={ZoneLimits.ForgotPassword} rate=5r/d burst=3 nodelay");
                }
                else
                {
@ -419,7 +419,7 @@ namespace BTCPayServer.Hosting
                    rateLimits.SetZone($"zone={ZoneLimits.Register} rate=2r/min burst=2 nodelay");
                    rateLimits.SetZone($"zone={ZoneLimits.PayJoin} rate=5r/min burst=3 nodelay");
                    rateLimits.SetZone($"zone={ZoneLimits.Shopify} rate=20r/min burst=3 nodelay");
-                    rateLimits.SetZone($"zone={ZoneLimits.ForgotPassword} rate=1r/d burst=3 nodelay");
+                    rateLimits.SetZone($"zone={ZoneLimits.ForgotPassword} rate=5r/d burst=5 nodelay");
                }
                return rateLimits;
            });
--- a/BTCPayServer/ZoneLimits.cs
+++ b/BTCPayServer/ZoneLimits.cs
@ -6,6 +6,6 @@ namespace BTCPayServer
        public const string Register = "btcpayregister";
        public const string PayJoin = "PayJoin";
        public const string Shopify = nameof(Shopify);
-        public static string ForgotPassword = "forgotpassword";
+        public const string ForgotPassword = "forgotpassword";
    }
 }