Use custom rate limiter when asking verif email

diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts
index 008c34ca480c42a11bf683375743025fc5834705..01ee73a53474068dce0155e5811ecba7f2a53bf2 100644 (file)
--- a/server/controllers/api/users/index.ts
+++ b/server/controllers/api/users/index.ts
@@ -42,6 +42,12 @@ const loginRateLimiter = new RateLimit({
   delayMs: 0
 })
 
+const askSendEmailLimiter = new RateLimit({
+  windowMs: RATES_LIMIT.ASK_SEND_EMAIL.WINDOW_MS,
+  max: RATES_LIMIT.ASK_SEND_EMAIL.MAX,
+  delayMs: 0
+})
+
 const usersRouter = express.Router()
 usersRouter.use('/', meRouter)
 
@@ -114,7 +120,7 @@ usersRouter.post('/:id/reset-password',
 )
 
 usersRouter.post('/ask-send-verify-email',
-  loginRateLimiter,
+  askSendEmailLimiter,
   asyncMiddleware(usersAskSendVerifyEmailValidator),
   asyncMiddleware(askSendVerifyUserEmail)
 )

diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts
index 16d8dca68598fc4da364d815d39bc2e74258c5e9..536d99713c2d5602bbd624f2ab52936b421a4ea1 100644 (file)
--- a/server/initializers/constants.ts
+++ b/server/initializers/constants.ts
@@ -364,6 +364,10 @@ const RATES_LIMIT = {
   LOGIN: {
     WINDOW_MS: 5 * 60 * 1000, // 5 minutes
     MAX: 15 // 15 attempts
+  },
+  ASK_SEND_EMAIL: {
+    WINDOW_MS: 5 * 60 * 1000, // 5 minutes
+    MAX: 3 // 3 attempts
   }
 }