additional rate limiting on email endpoints

2025-04-12 16:48:12 -05:00 · 2017-09-27 20:53:29 -04:00 · 2017-09-27 20:53:29 -04:00 · 132d99404c
commit 132d99404c
parent 184fe0cd64
2 changed files with 20 additions and 25 deletions
--- a/src/Api/Controllers/AccountsController.cs
+++ b/src/Api/Controllers/AccountsController.cs
@ -88,9 +88,8 @@ namespace Bit.Api.Controllers
            await _userService.InitiateEmailChangeAsync(user, model.NewEmail);
        }

-        [HttpPut("email")]
        [HttpPost("email")]
-        public async Task PutEmail([FromBody]EmailRequestModel model)
+        public async Task PostEmail([FromBody]EmailRequestModel model)
        {
            var user = await _userService.GetUserByPrincipalAsync(User);
            if(user == null)
@ -150,9 +149,8 @@ namespace Bit.Api.Controllers
            throw new BadRequestException(ModelState);
        }

-        [HttpPut("password")]
        [HttpPost("password")]
-        public async Task PutPassword([FromBody]PasswordRequestModel model)
+        public async Task PostPassword([FromBody]PasswordRequestModel model)
        {
            var user = await _userService.GetUserByPrincipalAsync(User);
            if(user == null)
@ -176,9 +174,8 @@ namespace Bit.Api.Controllers
            throw new BadRequestException(ModelState);
        }

-        [HttpPut("key")]
        [HttpPost("key")]
-        public async Task PutKey([FromBody]UpdateKeyRequestModel model)
+        public async Task PostKey([FromBody]UpdateKeyRequestModel model)
        {
            var user = await _userService.GetUserByPrincipalAsync(User);
            if(user == null)
@ -214,9 +211,8 @@ namespace Bit.Api.Controllers
            throw new BadRequestException(ModelState);
        }

-        [HttpPut("security-stamp")]
        [HttpPost("security-stamp")]
-        public async Task PutSecurityStamp([FromBody]SecurityStampRequestModel model)
+        public async Task PostSecurityStamp([FromBody]SecurityStampRequestModel model)
        {
            var user = await _userService.GetUserByPrincipalAsync(User);
            if(user == null)
@ -293,9 +289,8 @@ namespace Bit.Api.Controllers
            return revisionDate;
        }

-        [HttpPut("keys")]
        [HttpPost("keys")]
-        public async Task<KeysResponseModel> PutKeys([FromBody]KeysRequestModel model)
+        public async Task<KeysResponseModel> PostKeys([FromBody]KeysRequestModel model)
        {
            var user = await _userService.GetUserByPrincipalAsync(User);
            if(user == null)
@ -431,10 +426,9 @@ namespace Bit.Api.Controllers
            }
        }

-        [HttpPut("payment")]
        [HttpPost("payment")]
        [SelfHosted(NotSelfHostedOnly = true)]
-        public async Task PutPayment([FromBody]PaymentRequestModel model)
+        public async Task PostPayment([FromBody]PaymentRequestModel model)
        {
            var user = await _userService.GetUserByPrincipalAsync(User);
            if(user == null)
@ -445,10 +439,9 @@ namespace Bit.Api.Controllers
            await _userService.ReplacePaymentMethodAsync(user, model.PaymentToken);
        }

-        [HttpPut("storage")]
        [HttpPost("storage")]
        [SelfHosted(NotSelfHostedOnly = true)]
-        public async Task PutStorage([FromBody]StorageRequestModel model)
+        public async Task PostStorage([FromBody]StorageRequestModel model)
        {
            var user = await _userService.GetUserByPrincipalAsync(User);
            if(user == null)
@ -459,10 +452,9 @@ namespace Bit.Api.Controllers
            await _userService.AdjustStorageAsync(user, model.StorageGbAdjustment.Value);
        }

-        [HttpPut("license")]
        [HttpPost("license")]
        [SelfHosted(SelfHostedOnly = true)]
-        public async Task PutLicense(LicenseRequestModel model)
+        public async Task PostLicense(LicenseRequestModel model)
        {
            var user = await _userService.GetUserByPrincipalAsync(User);
            if(user == null)
@ -479,10 +471,9 @@ namespace Bit.Api.Controllers
            await _userService.UpdateLicenseAsync(user, license);
        }

-        [HttpPut("cancel-premium")]
        [HttpPost("cancel-premium")]
        [SelfHosted(NotSelfHostedOnly = true)]
-        public async Task PutCancel()
+        public async Task PostCancel()
        {
            var user = await _userService.GetUserByPrincipalAsync(User);
            if(user == null)
@ -493,10 +484,9 @@ namespace Bit.Api.Controllers
            await _userService.CancelPremiumAsync(user, true);
        }

-        [HttpPut("reinstate-premium")]
        [HttpPost("reinstate-premium")]
        [SelfHosted(NotSelfHostedOnly = true)]
-        public async Task PutReinstate()
+        public async Task PostReinstate()
        {
            var user = await _userService.GetUserByPrincipalAsync(User);
            if(user == null)
--- a/src/Api/settings.json
+++ b/src/Api/settings.json
@ -79,8 +79,8 @@
      },
      {
        "Endpoint": "post:/account/password-hint",
-        "Period": "1m",
-        "Limit": 2
+        "Period": "60m",
+        "Limit": 5
      },
      {
        "Endpoint": "post:/account/email-token",
@ -89,7 +89,7 @@
      },
      {
        "Endpoint": "post:/account/email",
-        "Period": "10m",
+        "Period": "60m",
        "Limit": 5
      },
      {
@ -99,12 +99,17 @@
      },
      {
        "Endpoint": "post:/account/verify-email",
-        "Period": "10m",
+        "Period": "60m",
        "Limit": 5
      },
      {
-        "Endpoint": "put:/account/email",
+        "Endpoint": "post:/account/delete-recover-token",
        "Period": "1m",
+        "Limit": 2
+      },
+      {
+        "Endpoint": "post:/account/delete-recover",
+        "Period": "60m",
        "Limit": 5
      },
      {