go/pocketbase
1
0
Fork 0
mirror of https://github.com/pocketbase/pocketbase.git synced 2025-03-31 09:42:09 +02:00
Code Issues Releases Activity

updated otp manual rate limiter

Browse Source
This commit is contained in:
Gani Georgiev 2024-11-09 12:24:46 +02:00
parent 9cb6adab4d
commit 339399b0a4
2 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apis/record_auth_with_otp.go
View File

@ -52,7 +52,7 @@ func recordAuthWithOTP(e *core.RequestEvent) error {
}
// since otps are usually simple digit numbers we enforce an extra rate limit rule to prevent enumerations
err = checkRateLimit(e, "@pb_otp_"+event.OTP.Id+event.Record.Id, core.RateLimitRule{MaxRequests: 4, Duration: 180})
err = checkRateLimit(e, "@pb_otp_"+event.Record.Id, core.RateLimitRule{MaxRequests: 5, Duration: 180})
if err != nil {
return e.TooManyRequestsError("Too many attempts, please try again later with a new OTP.", nil)
}

10
apis/record_auth_with_otp_test.go
View File

@ -387,11 +387,13 @@ func TestRecordAuthWithOTPManualRateLimiterCheck(t *testing.T) {
}{
{otpAId, "12345", 400},
{otpAId, "12345", 400},
{otpAId, "12345", 400},
{otpAId, "12345", 400},
{otpAId, "123456", 429},
{otpBId, "12345", 400},
{otpBId, "123456", 200},
{otpBId, "12345", 400},
{otpBId, "12345", 400},
{otpAId, "12345", 429},
{otpAId, "123456", 429}, // reject even if it is correct
{otpAId, "123456", 429},
{otpBId, "123456", 429},
}
for _, s := range scenarios {