Use custom rate limiter when asking verif email

2018-08-31 11:44:07 +02:00 · 2018-08-31 11:44:07 +02:00 · 288fe38590
parent 328e607d32
commit 288fe38590
2 changed files with 11 additions and 1 deletions
--- a/server/controllers/api/users/index.ts
+++ b/server/controllers/api/users/index.ts
@ -42,6 +42,12 @@ const loginRateLimiter = new RateLimit({
  delayMs: 0
 })

+const askSendEmailLimiter = new RateLimit({
+  windowMs: RATES_LIMIT.ASK_SEND_EMAIL.WINDOW_MS,
+  max: RATES_LIMIT.ASK_SEND_EMAIL.MAX,
+  delayMs: 0
+})
+
 const usersRouter = express.Router()
 usersRouter.use('/', meRouter)

@ -114,7 +120,7 @@ usersRouter.post('/:id/reset-password',
 )

 usersRouter.post('/ask-send-verify-email',
-  loginRateLimiter,
+  askSendEmailLimiter,
  asyncMiddleware(usersAskSendVerifyEmailValidator),
  asyncMiddleware(askSendVerifyUserEmail)
 )
--- a/server/initializers/constants.ts
+++ b/server/initializers/constants.ts
@ -364,6 +364,10 @@ const RATES_LIMIT = {
  LOGIN: {
    WINDOW_MS: 5 * 60 * 1000, // 5 minutes
    MAX: 15 // 15 attempts
+  },
+  ASK_SEND_EMAIL: {
+    WINDOW_MS: 5 * 60 * 1000, // 5 minutes
+    MAX: 3 // 3 attempts
  }
 }