add rate limiting

opencollective · Jul 15, 2024 · 7133498 · 7133498
1 parent e26ab2a
commit 7133498
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/config/default.json b/config/default.json
@@ -71,6 +71,7 @@
       "confirmToken": 15
     },
     "setPasswordPerUserPerHour": 10,
+    "confirmEmailPerIpPerHour": 10,
     "skipCleanOrdersLimitSlugs": "",
     "enabledMasks": "",
     "sendGuestConfirmPerMinutePerEmail": 1,

diff --git a/server/graphql/v2/mutation/IndividualMutations.ts b/server/graphql/v2/mutation/IndividualMutations.ts
@@ -135,6 +135,15 @@ const individualMutations = {
         throw new Unauthorized('OAuth and Personal Tokens are not allowed for this route');
       }
 
+      // Rate limit (by IP, since we support anonymous requests)
+      const rateLimitKey = `individual_confirm_email_ip_${req.ip}`;
+      const rateLimitMax = config.limits.confirmEmailPerIpPerHour;
+      const rateLimit = new RateLimit(rateLimitKey, rateLimitMax, ONE_HOUR_IN_SECONDS);
+      if (!(await rateLimit.registerCall())) {
+        throw new RateLimitExceeded();
+      }
+
+      // Confirm email
       const user = await confirmUserEmail(confirmEmailToken);
       const individual = await user.getCollective({ loaders: req.loaders });