Page MenuHomePhabricator

Add a rate limit to requesting account recovery links from a given remote address
ClosedPublic

Authored by epriestley on Jul 19 2019, 5:02 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Mar 14, 5:35 PM
Unknown Object (File)
Tue, Mar 12, 5:21 PM
Unknown Object (File)
Feb 8 2024, 4:39 AM
Unknown Object (File)
Feb 3 2024, 10:57 PM
Unknown Object (File)
Jan 25 2024, 2:19 AM
Unknown Object (File)
Dec 22 2023, 12:11 AM
Unknown Object (File)
Dec 7 2023, 11:03 PM
Unknown Object (File)
Nov 30 2023, 1:09 AM
Subscribers
None

Details

Summary

Depends on D20666. Ref T13343. In D20666, I limited the rate at which a given user account can be sent account recovery links.

Here, add a companion limit to the rate at which a given remote address may request recovery of any account. This limit is a little more forgiving since reasonable users may plausibly try multiple variations of several email addresses, make typos, etc. The goal is just to hinder attackers from fishing for every address under the sun on installs with no CAPTCHA configured and no broad-spectrum VPN-style access controls.

Test Plan

Screen Shot 2019-07-19 at 9.57.53 AM.png (894×1 px, 156 KB)

Diff Detail

Repository
rP Phabricator
Branch
elogin6
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 23161
Build 31811: Run Core Tests
Build 31810: arc lint + arc unit