| 1234567891011121314151617 |
- # Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/
- #
- # Throttle password reset requests
- #
- API_V1_USERS__PASSWORD_RESET_PATH = '/api/v1/users/password_reset'.freeze
- Rack::Attack.throttle('limit password reset requests per username', limit: 3, period: 60) do |req|
- if req.path == API_V1_USERS__PASSWORD_RESET_PATH && req.post?
- # Normalize to protect against rate limit bypasses.
- req.params['username'].to_s.downcase.gsub(%r{\s+}, '')
- end
- end
- Rack::Attack.throttle('limit password reset requests per source IP address', limit: 3, period: 60) do |req|
- if req.path == API_V1_USERS__PASSWORD_RESET_PATH && req.post?
- req.ip
- end
- end
|
