17 lines
671 B
Ruby
17 lines
671 B
Ruby
# Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/
|
|
|
|
#
|
|
# Throttle password reset requests
|
|
#
|
|
API_V1_USERS__PASSWORD_RESET_PATH = '/api/v1/users/password_reset'.freeze
|
|
Rack::Attack.throttle('limit password reset requests per username', limit: 3, period: 60) do |req|
|
|
if req.path == API_V1_USERS__PASSWORD_RESET_PATH && req.post?
|
|
# Normalize to protect against rate limit bypasses.
|
|
req.params['username'].to_s.downcase.gsub(%r{\s+}, '')
|
|
end
|
|
end
|
|
Rack::Attack.throttle('limit password reset requests per source IP address', limit: 3, period: 60) do |req|
|
|
if req.path == API_V1_USERS__PASSWORD_RESET_PATH && req.post?
|
|
req.ip
|
|
end
|
|
end
|