add password update rate limit

src/routes/settings/+page.server.ts

@@ -23,10 +23,13 @@ import {
 import { decodeBase64 } from "@oslojs/encoding";
 import { get2FARedirect } from "$lib/server/2fa";
 import { deleteUserTOTPKey, totpUpdateBucket } from "$lib/server/totp";
+import { ExpiringTokenBucket } from "$lib/server/rate-limit";
 
 import type { Actions, RequestEvent } from "./$types";
 import type { SessionFlags } from "$lib/server/session";
 
+const passwordUpdateBucket = new ExpiringTokenBucket<string>(5, 60 * 30);
+
 export async function load(event: RequestEvent) {
 	if (event.locals.session === null || event.locals.user === null) {
 		return redirect(302, "/login");
@@ -79,6 +82,14 @@ async function updatePasswordAction(event: RequestEvent) {
 			}
 		});
 	}
+	if (!passwordUpdateBucket.check(event.locals.session.id, 1)) {
+		return fail(429, {
+			password: {
+				message: "Too many requests"
+			}
+		});
+	}
+
 	const formData = await event.request.formData();
 	const password = formData.get("password");
 	const newPassword = formData.get("new_password");
@@ -97,6 +108,14 @@ async function updatePasswordAction(event: RequestEvent) {
 			}
 		});
 	}
+
+	if (!passwordUpdateBucket.consume(event.locals.session.id, 1)) {
+		return fail(429, {
+			password: {
+				message: "Too many requests"
+			}
+		});
+	}
 	const passwordHash = getUserPasswordHash(event.locals.user.id);
 	const validPassword = await verifyPasswordHash(passwordHash, password);
 	if (!validPassword) {