add password update rate limit

2025-09-08 17:40:27 +00:00 · 2024-10-06 15:31:49 +09:00 · 2024-10-06 15:31:49 +09:00 · d440b7c183
commit d440b7c183
parent 776249c829
1 changed files with 19 additions and 0 deletions
--- a/src/routes/settings/+page.server.ts
+++ b/src/routes/settings/+page.server.ts
@ -23,10 +23,13 @@ import {
 import { decodeBase64 } from "@oslojs/encoding";
 import { get2FARedirect } from "$lib/server/2fa";
 import { deleteUserTOTPKey, totpUpdateBucket } from "$lib/server/totp";
+import { ExpiringTokenBucket } from "$lib/server/rate-limit";

 import type { Actions, RequestEvent } from "./$types";
 import type { SessionFlags } from "$lib/server/session";

+const passwordUpdateBucket = new ExpiringTokenBucket<string>(5, 60 * 30);
+
 export async function load(event: RequestEvent) {
 	if (event.locals.session === null || event.locals.user === null) {
 		return redirect(302, "/login");
@ -79,6 +82,14 @@ async function updatePasswordAction(event: RequestEvent) {
 			}
 		});
 	}
+	if (!passwordUpdateBucket.check(event.locals.session.id, 1)) {
+		return fail(429, {
+			password: {
+				message: "Too many requests"
+			}
+		});
+	}
+
 	const formData = await event.request.formData();
 	const password = formData.get("password");
 	const newPassword = formData.get("new_password");
@ -97,6 +108,14 @@ async function updatePasswordAction(event: RequestEvent) {
 			}
 		});
 	}
+
+	if (!passwordUpdateBucket.consume(event.locals.session.id, 1)) {
+		return fail(429, {
+			password: {
+				message: "Too many requests"
+			}
+		});
+	}
 	const passwordHash = getUserPasswordHash(event.locals.user.id);
 	const validPassword = await verifyPasswordHash(passwordHash, password);
 	if (!validPassword) {